The vast majority of breaches still start with a single email. Not a zero-day, not a state actor, a convincing message and a busy person who clicked. That makes email both the oldest attack surface and, frustratingly, the one most organisations still under-invest in.
1. Authenticate your own domain
SPF, DKIM, and DMARC are the seatbelts of email. Configured properly, they stop attackers spoofing your domain to your own staff and customers. Start in monitoring mode, read the reports, then move to an enforcing policy once you are confident legitimate mail passes.
2. Filter before humans ever see it
A modern secure email gateway catches the bulk of malicious mail before it lands. Layer on link rewriting and attachment sandboxing so that even a clicked link is checked at the moment of the click, not just at delivery.
The five controls that move the needle
- Domain authentication with an enforcing DMARC policy.
- A secure gateway with sandboxing and time-of-click link checks.
- Multi-factor authentication on every mailbox, no exceptions.
- Regular, realistic phishing simulations with coaching, not blame.
- A one-click report button that routes straight to your security team.
3. Make MFA non-negotiable
Even if a password leaks, multi-factor authentication stops most account takeovers cold. Prefer app-based or hardware tokens over SMS, and watch for MFA-fatigue attacks where users are spammed with prompts until they approve one.
4. Train for reality, not compliance
Annual slideshows do not change behaviour. Short, frequent, realistic simulations do. The goal is not to catch people out, it is to build the reflex to pause and check when something feels off.
“The organisations that handle phishing best treat a reported email as a win, not a failure. Reporting is the behaviour you want to reward.”
5. Rehearse the response
Assume one will get through eventually. A short, well-rehearsed playbook, who to call, how to lock an account, how to pull a message back, turns a potential incident into a non-event.