Your Team Is Your Biggest Security Risk (And That's Fixable)
7 April 2026
When people think about cyber attacks, they picture hackers in dark rooms breaking through firewalls. The reality is much less dramatic — and much more effective. Most successful attacks don't exploit software. They exploit people.
A convincing email. A fake login page. A message that looks like it's from the boss. One click from one person and an attacker has credentials, access, and a way in. No firewall in the world stops someone from typing their password into a phishing page.
Why Phishing Works
Phishing emails have evolved far beyond the "Nigerian prince" era. Modern phishing is targeted, well-written, and often indistinguishable from real messages. Here's what we see in practice:
- Impersonation emails: Messages that appear to come from your CEO, your accountant, or a known supplier. The sender name matches, the tone is right, and the request seems reasonable — "Can you process this payment?" or "Please review the attached invoice."
- Credential harvesting: Emails linking to fake Microsoft 365 login pages. The page looks identical to the real thing. The user enters their email and password, and the attacker captures both.
- Spoofed domains: An email from @yourcompany.co instead of @yourcompany.co.uk. Close enough that nobody notices unless they're actively looking.
These attacks don't need technical skill to succeed. They need one person to be busy, distracted, or trusting enough to click.
What a Basic Anti-Phishing Setup Looks Like
You can't train away all risk. People will always make mistakes — especially under pressure. But you can reduce the surface area dramatically with the right policies:
- SPF, DKIM, and DMARC: These three email authentication protocols prevent attackers from sending emails that appear to come from your domain. If you haven't configured them, anyone can send an email that looks like it's from you.
- Anti-phishing policies: Microsoft 365 includes built-in anti-phishing tools — impersonation detection, spoof intelligence, and safe links. Most businesses haven't turned them on.
- MFA everywhere: Even if someone's password gets phished, MFA stops the attacker from using it. This is the single most effective defence against credential theft.
- External email tagging: A simple banner on emails from outside your organisation — "[EXTERNAL]" in the subject or a warning bar — makes people pause before trusting a message.
Training Helps, but Policies Help More
Relying on training alone is like relying on drivers to never make mistakes — the guardrails still need to be there.
Security awareness training is useful. People should know what phishing looks like, how to check sender addresses, and when to be suspicious. But it can't be your only line of defence.
The most effective approach is both: train people to be aware, and put policies in place so that when someone does click the wrong link, the damage is contained. MFA blocks the stolen password. Conditional Access blocks the suspicious sign-in. Device management lets you isolate the compromised machine.
Key takeaway
Your team isn't the problem. The lack of protection around them is.
Our cybersecurity services are built to put exactly these guardrails in place.
Want to talk about this?
Book a free 15-minute call and we'll discuss how this applies to your business.
Book a Free CallGet IT tips in your inbox
Practical advice for small businesses. No spam.
