intelligent

Next , get the identity hygiene right . This means having an identity strategy and a strong authentication policy that ensures unique passwords . Consider password vault options because in the end there aren ’ t bad users , but there are a lot of security departments that expect users to behave unnaturally . Make it easier to activate the human layer to participate in its own rescue .

Then apply security layers on top of the mail stack . Consider spam and phishing filters and look into the step-up security features of the stack you use . For instance , Google has a Confidential mode that many don ’ t even know exists . Consider what protocols can be used for email , whether filters are bypassed for internal users ( don ’ t do this !) and options to validate email with SPF , DKIM and DMARC .

It ’ s vital that security moves with the business and doesn ’ t grind all email to a halt . Nothing will sink a security program and kill new initiatives faster than becoming the business inhibition team .

Defence-in-depth may have developed a bad name over the years , but there ’ s enormous validity to it in control layers . Just as antivirus or firewalls fail , so can the best of email security controls . The best strategy assumes that prevention tools in email will be defeated and proactively seeks to detect the malicious operations that start with email compromise with a strong detection strategy : EDR / XDR and MDR . These aren ’ t really endpoint tools , they are the way to catch advanced attackers in an enterprise environment with depth used to advantage .

It ’ s also worth leaning into vendors out there in the email security space , from established vendors which can help coordinate a strategy and add layers to your email stack to emerging solutions . Vendors aren ’ t the enemy . Many will fail . But this is the source of tomorrow ’ s solutions and building the skill to talk with them and see technology evolve will help you find the solution that can make a difference . �

EMAIL REMAINS ONE OF THE MOST COMPROMISED SERVICES NO MATTER HOW MUCH SECURITY TRAINING WE THROW AT IT , BUT IT DOESN ’ T HAVE TO BE THAT WAY .