UK businesses warned over email governance blind spots

Exclaimer has urged organisations to tighten controls over outbound email governance after new UK data showed that 83% of IT leaders had experienced an email-related security incident.

The findings suggest a gap between investment in cloud access security and oversight of what leaves company systems through email. Only 38% of UK enterprises have fully integrated email into their wider security and compliance stack, limiting central control over external communications.

The warning comes as UK businesses continue to face persistent cyber risks. Government survey data cited by Exclaimer shows that 43% of UK businesses reported a cyber breach over the past year, with phishing and other email-borne threats still the most common route in.

While much of the security debate has focused on inbound threats, Exclaimer argued that outbound email has received less scrutiny. Governance, it said, often breaks down at the point of sending, where individual users, manual processes and disconnected tools create inconsistency.

Exclaimer also highlighted the financial impact of cyber incidents, citing research that puts the average cost of a significant cyber attack to a UK business at almost £195,000. Across the UK, that amounts to roughly £14.7 billion a year.

Communication Risk

Karl Bagci, Director of IT and Information Security at Exclaimer, said the main issue for many organisations is no longer basic awareness of email risk, but the ability to apply controls consistently across large volumes of communication.

“World Cloud Security Day is a reminder that most organisations have gotten very good at controlling who gets into their systems, but far fewer are controlling what comes out,” said Bagci. “Email is still one of the most trusted and heavily used business channels, but it remains one of the least consistently governed at scale. What we’re seeing is a shift in risk from infrastructure to behaviour: how people communicate, what they send, and whether those communications are controlled.”

That argument reflects a broader shift in security priorities as businesses adopt more cloud software and spread work across more devices and users. The challenge, according to Exclaimer, is maintaining oversight once communication leaves tightly controlled systems and becomes part of day-to-day staff activity.

This is particularly relevant where disclaimers, branding and compliance messages are handled by individual employees rather than enforced centrally. In those cases, organisations may struggle to ensure that every message meets internal policy or external regulatory requirements.

Blind Spot

Bagci said the weak point often sits at the boundary between secure systems and employee actions.

“This creates a critical blind spot at the point where communication exits the organisation, affecting compliance, brand integrity, and customer trust,” he said. “Without centralised governance, businesses have limited control over how disclaimers are applied, how regulatory requirements are met, or how consistently the organisation is represented across every interaction.”

That concern is likely to be more acute in regulated sectors, where missing or inconsistent information in customer emails can create legal or compliance problems. Even in less tightly regulated industries, inconsistent messaging can still affect customer confidence and corporate reputation.

Exclaimer linked the trend to the growing scale and complexity of business communication. It cited IBM research showing that one in six data breaches now involve AI-driven attacks, underlining how quickly communication volumes and risks are changing.

Real-Time Oversight

Exclaimer argued that managing email risk at scale requires policy-led controls applied in real time, rather than relying on manual action by staff. The issue becomes more pressing as email traffic spreads across users, devices and AI-assisted tools.

Exclaimer, which sells email signature management software for Microsoft 365 and Google Workspace, framed the issue as one of governance rather than simple technical defence. In its view, cloud security efforts have become stronger at controlling access to systems, but less effective at controlling the information that leaves them.

“World Cloud Security Day serves as a timely reminder that cloud security is no longer just about protecting systems. It is about managing the flow of information across them. And that includes looking at how you govern your email communications,” said Bagci.