Because as the size of your organization increases, the probability that an individual employee’s company email is in that breach rises to 1. That lone employee is going to be suffering some unfortunate impacts, from identity theft, financial scams, blackmail, and even death threats (as seen in the Ashley Madison breach). There’s an organizational impact as well: a single compromised account can serve as a launching point for reconnaissance, phishing waves, or a pivot point for a further attack.
But wait? What if the exposure is a company webmail that is isolated from the main corporate network?