The front door of your digital office
A lot of professional firms still run their own email server (often Microsoft Exchange). It can feel safer because it’s “in your control.” But if your email login page is visible on the public internet, it’s like putting your office’s front door on a busy street with a big sign that says: “Try the handle.”
Hackers don’t need to know who you are. They just need to find the door.
Why this is risky
Email logins are one of the most common targets on the internet because they’re:
- easy to find,
- valuable once accessed,
- and often protected by only a username and password.
Attackers use automated tools to:
- guess weak passwords
- try stolen passwords (from older breaches elsewhere)
- take advantage of unpatched security flaws in older systems—sometimes without needing to log in the normal way
And once someone gets into your email, the damage can spread quickly.
What happens if they get in?
With email access, attackers can:
- read sensitive messages (client info, contracts, bank details, tax docs)
- impersonate employees and send believable emails
- redirect payments by sending fake invoices or “updated wiring instructions”
- use your domain to trick your clients (phishing that looks like it’s from you)
In many real incidents, the technology part is only half the problem—the bigger issue is the trust people place in your email.
How to protect your firm
You have a few practical options:
- Move to a secure hosted email platform
For most firms, Microsoft 365 or Google Workspace reduces risk because the infrastructure and security updates are managed continuously. - If you keep your own server, hide the admin and login doors
Don’t allow those pages to be accessible to the public internet. Require access through a secure “front door” (like a VPN) and require multi-factor authentication (MFA). - Stay current on updates and limit exposure
Keep the server patched and restrict access so only approved locations can even attempt to log in
The takeaway
Email is the main communication channel for most firms—and attackers know it.
If you can pull up your email server login from a normal browser anywhere, so can they. Treat it like your front door:
keep it locked, limit who can approach it, and require more than just a password to get in.