Almost every day we hear from prospects how they have an email security gateway, so they are protected from phishing. Another variant is “We don’t have a phishing problem” although rarely can someone describe how they know this to be true.

For many organizations that do admit that phishing is a problem, the most common response is “we do training.” From my early days as a technical trainer, I remember seeing firsthand how well people absorbed training. Suffice to say it wasn’t pretty. Don’t get me wrong; there is always a subset of people that do pay attention and retain some of what they learned. But a much larger percentage retain very little, if any, of the training. Recent reports from Security Awareness & Education vendors are saying this same thing; training helps but nowhere near as much as people have been led (or want) to believe.

And then there’s the age-old “IT is taking care of this.” Part of the above-noted training is to ask users to send suspicious email to the internal IT team for review. I have talked with many people across all departments, and they consistently say they don’t send email to their IT team because it takes too long to get a response.

Despite all the above, phishing is still making the news. “Insert company name here” was breached as the result of a phishing email. Not wanting to rush to any conclusions, but it sure feels like something is amiss.

  • Email security gateways are challenged to address highly targeted, low volume attacks.
  • Training is wasted on a large percentage of users.
  • IT teams are very busy.

Alright then, you say, what do I do? First, and foremost, admit that phishing email are getting past your email security gateway and will continue to do so for the foreseeable future. Email security gateways are vital, but not foolproof. Accepting that phishing email will reach your users frees you to ask “How do I safely include my users in detecting phishing?”


Expecting users to decipher bad email from good is a recipe for disaster (i.e. breach). You are asking your users to be smarter than the cybercriminals who spend all day figuring out HOW TO OUTSMART USERS.

Why not just give your users a very binary choice? Don’t worry above hovering over the link to review the actual URL. Don’t question whether it really came from your CEO who, by the way, has never (ever) sent you an email before. Don’t open that attachment in the “urgent” email you just received from the vendor (do we really do business with this company?) who claims you are past due on an invoice.

Trust it, or test it. Send the message to email security experts who will give you a response in a matter of minutes.

Or, go ahead and tell me again: “I’m good, thanks”.