Email remains a major threat, especially for smaller companies that lack dedicated security resources. I've noticed a variety of strategies being employed—from traditional secure email gateways like Proofpoint and Mimecast to modern AI-driven tools such as MailArmor, as well as built-in protections in Microsoft 365 and Google Workspace. For teams that have limited budgets, what approaches have proven effective in fighting phishing and email-related attacks?
8 Answers
Has anyone tried Field Effect? They claim to offer email security along with security awareness training. We're thinking about their managed detection response service, but I’d love to hear experiences from others.
Many small teams I know just rely on hope and scold their users when someone inevitably clicks a suspicious link! Those that manage to avoid ransomware often use Microsoft 365 Defender effectively, paired with strong multi-factor authentication (MFA). That combination takes care of a large portion of the problem.
I handle IT at a small company with about 60 users, and we’ve implemented Checkpoint Harmony. It’s been super effective, catching maybe one phishing attempt a month out of 70,000 emails. It was easy to set up, just a few clicks, plus we conduct phishing simulations bi-weekly. Since we started with conditional access and Checkpoint, our issues have virtually vanished!
Our team combines traditional secure email gateways with AI tools for tasty phishing protection. We’ve got Microsoft services internally and at client sites, which automatically triage account takeover attempts, making it much easier to handle threats.
We use Barracuda's email gateway to verify all links, and we also run quarterly training campaigns. It's been working for us, but I wonder if it's still too outdated for today's threats?
Implementing DMARC has completely eliminated domain spoofing for us. Also, using Windows Hello and Passkeys means that if a user does get phished, there's an extra layer of protection.
I recommend checking out Proofpoint Essentials; it’s a scaled-down version that works well for smaller teams. Plus, their awareness training module is critical for preventing phishing, even in a smaller setup.
Most small groups I know are having success just by maximizing Microsoft 365 or Google Workspace's native features—turning on Advanced Threat Protection and enforcing MFA. Setting up DMARC/DKIM helps catch a lot too! It's crucial to balance this with regular phishing simulations and basic training, as even the best filters can’t catch every threat.
That sounds like a smart strategy! The SEG combined with AI really does seem like the way to go. Automated triaging must make things so much simpler when users click something dodgy.