Skip to content
Cybersecurity6 min read

Top 5 tips for solving the email security problem

AB

Amara Bello

Head of Cyber Security4 June 2026

The vast majority of breaches still start with a single email. Not a zero-day, not a state actor, a convincing message and a busy person who clicked. That makes email both the oldest attack surface and, frustratingly, the one most organisations still under-invest in.

1. Authenticate your own domain

SPF, DKIM, and DMARC are the seatbelts of email. Configured properly, they stop attackers spoofing your domain to your own staff and customers. Start in monitoring mode, read the reports, then move to an enforcing policy once you are confident legitimate mail passes.

2. Filter before humans ever see it

A modern secure email gateway catches the bulk of malicious mail before it lands. Layer on link rewriting and attachment sandboxing so that even a clicked link is checked at the moment of the click, not just at delivery.

The five controls that move the needle

  • Domain authentication with an enforcing DMARC policy.
  • A secure gateway with sandboxing and time-of-click link checks.
  • Multi-factor authentication on every mailbox, no exceptions.
  • Regular, realistic phishing simulations with coaching, not blame.
  • A one-click report button that routes straight to your security team.

3. Make MFA non-negotiable

Even if a password leaks, multi-factor authentication stops most account takeovers cold. Prefer app-based or hardware tokens over SMS, and watch for MFA-fatigue attacks where users are spammed with prompts until they approve one.

4. Train for reality, not compliance

Annual slideshows do not change behaviour. Short, frequent, realistic simulations do. The goal is not to catch people out, it is to build the reflex to pause and check when something feels off.

The organisations that handle phishing best treat a reported email as a win, not a failure. Reporting is the behaviour you want to reward.

Amara Bello, Head of Cyber Security

5. Rehearse the response

Assume one will get through eventually. A short, well-rehearsed playbook, who to call, how to lock an account, how to pull a message back, turns a potential incident into a non-event.

TagsCybersecurityEmailPhishingZero trust
AB

About the author

Amara Bello

Head of Cyber Security

Amara runs the security practice at Abeytrust, from phishing simulations to incident response. She has led security programmes for organisations across finance and healthcare.

More from the blog
CONTACT US

Partner with Us for Comprehensive IT

We're happy to answer any questions you may have and help you determine which of our services best fit your needs.

Call us at: +44 778 0510 590

WhatsApp: +234 706 378 3986

Your benefits:

  • Client-oriented
  • Results-driven
  • Independent
  • Problem-solving
  • Competent
  • Transparent

Schedule a Free Consultation