TL;DR: Email-based attacks account for over 90% of successful cyber incidents, and the article argues that phishing, business email compromise, spoofing, and third-party compromise make email protection a core control surface for modern organisations, according to SecurityScorecard. The practical lesson is that email security is not just filtering, but governance over identity, trust, and response paths.
NHIMG editorial — based on content published by SecurityScorecard: email security best practices and threat analysis
By the numbers:
- Email-based attacks account for over 90% of successful cyber incidents.
Questions worth separating out
Q: What breaks when email security is treated as a perimeter-only problem?
A: The organisation loses visibility and response speed once messages are delivered.
Q: Why do compromised mailboxes create so much downstream risk?
A: Compromised mailboxes are dangerous because they already sit inside trusted workflows.
Q: How should security teams reduce business email compromise risk beyond secure email gateways?
A: They should add controls that operate after delivery and after user interaction, because BEC usually succeeds by exploiting trust and workflow, not by delivering obvious malware.
Practitioner guidance
- Harden mailbox authentication and recovery paths Require phishing-resistant MFA for privileged mailboxes, secure password reset flows, and alerts on recovery changes so a compromised inbox cannot be used to reset adjacent identities.
- Verify business-critical requests out of band Use secondary confirmation for payment instructions, bank-detail changes, vendor onboarding, and delegation requests.
- Monitor for mailbox abuse patterns Detect impossible travel, abnormal forwarding rules, mass external sending, suspicious OAuth grants, and unusual login geography on high-value accounts.
What's in the full article
SecurityScorecard's full article covers the operational detail this post intentionally leaves for the source:
- A fuller breakdown of email security controls, including filtering, encryption, DLP, and awareness training in one operating model.
- Practical discussion of secure email gateways, sandboxing, and threat intelligence integration for blocking malicious messages.
- Compliance considerations for email retention, data protection, and audit logging across regulated environments.
- Service and support options for managed monitoring, incident response, and professional testing of email defences.
👉 Read SecurityScorecard's analysis of email security risks and protections →
Email security failures: what IAM and security teams need to know?
Explore further
Email security is now an identity governance problem, not a messaging problem. The article treats email as a protective layer around communication, but the real risk is that email carries trust, recovery, approval, and vendor relationships. When those trust paths fail, the result is usually credential theft or process abuse before it becomes a classic security incident. Practitioners should govern email as part of identity control, not as a standalone hygiene domain.
A question worth separating out:
Q: Who is accountable when spoofing leads to fraud or compromise?
A: Accountability usually spans the team that owns the channel, the team that defines the workflow and the team that approves the action. If a process accepts unvalidated identity signals, the control owner failed to define the trust boundary clearly enough. Governance should assign ownership to the signal and the decision point.
👉 Read our full editorial: Email security failures expose identity, fraud, and breach risk