For many years, I ran (and still do to a degree) a hosting reseller business. It makes sense with handling items such as DNS, DMARC, DKIM and so forth. The most common form of hosting out there for small, and even medium sized businesses, is shared hosting. Shared hosting means that your website and email is on a server that’s shared between a dozen or more businesses. This keeps costs down, and has minimal performance impact if all the companies are small. It also means that most frequently, your email and hosting shares the same space on a server. This is a dangerous practice when it comes to your email security and privacy for a number of reasons.
Your hosting provider CAN see your emails
Whether you like it or not, and no matter how many contracts and assurances are in place, your hosting provider will be able to see your emails. Most servers I’ve encountered use the same platforms for mails, often storing each email in a file on the server in folders for corresponding inboxes etc. By default, you don’t see these, but they are there. If you access the server via FTP, cPanel file explorer, or SSH, chances are you’ll see a “Mail” or “Users” folder that contains all the mailboxes. When maintaining your hosting, your provider would have access to these too, which is a risk if they have an unscrupulous employee snooping on them.
A breach on FTP could be a breach on emails
I alluded to the fact above that logging in with FTP could show your mails. FTP is not known for it’s security, and I see that often servers don’t support special characters in passwords – which immediately weakens your security posture. Any form of security is only as good as the weakest link. In this case, you could have an incredibly strong mailbox password, but if someone manages to brute-force your FTP (or your web developers share a weak password among everyone), your mails are all at risk regardless of your mailbox password strength.
Moving hosts is a royal pain
When your email is stored on a shared host, you have to transfer it as well as your website if you ever decide to move providers. If you have a number of mailboxes, this is incredibly painful and leaves the door open for many things to go wrong – between loss of data (this can be considered a breach), shared passwords, and complete mixups of mail on restore. One of the things I despise most is moving emails between hosts; to the extent that I no longer offer this service unless it is to Microsoft 365 or Google Workspace.
You don’t get 2FA or other secure protocols
Shared hosting is the bare basics, often operating on POP, IMAP and SMTP protocols. These protocols have their roots in the past, and were not designed with security in mind. Sure, there is security available for them in a retrofitted kind of way (TLS security), but it’s not secure by design, and many shared hosts have this as an optional extra instead of the default. Newer protocols and services in use on platforms like Workspaces or 365 by contrast have security built in, along with very easy to implement multifactor authentication – a non-negotiable security feature that you simply have to have on your email.
What to do
People often scoff at the idea of moving to Microsoft 365 (formerly Office365) and Google Workspace (formerly G Suite) because there is a cost involved. Your savings in time, headaches, migration, and security will completely offset the costs that you may incur, I can assure you this. While both platforms are good, my personal preference is Microsoft 365, from a value perspective, as well as from an administration and reporting point of view. If you work smart you can customise your licenses in order to keep costs down, and you’ll find tremendous benefit in the security and collaboration that’s available. To give you an example of the benefits of Microsoft 365 Business Standard, here are some of the features you’ll get in addition to just plain old email on shared hosting:
- Full Microsoft Office suite for 5 devices
- Microsoft Teams for collaboration and teamwork (an excellent platform)
- Sharepoint centralised document management
- 1TB of OneDrive storage
- Synchronised and shared calendars
- Multifactor authentication
- Customer appointment scheduling with Microsoft Bookings
The list goes on. For 2FA alone and mitigating the risk of phishing almost entirely, I’d say that it’s an easy decision. Costs in a phishing attack escalate astronomically, and can easily set you back R50,000 per day in consulting and other fees for containment. Why not for the most part eliminate the risk, while increasing your security posture, for a relatively low fee per user.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.