With 93%1 of breaches coming from phishing attacks, it’s top of mind for most businesses.

I recently had a conversation with a colleague who holds a senior position at a Fortune 500 company. The organization has consistently been conducting employee security awareness training - and recently completed a phishing test. Despite their ongoing efforts, a significant number of staff failed. This isn't a surprise, the unfortunate truth is that even with training, more than a quarter2 of employees still fail phishing tests. Education alone simply isn't enough, and it's leaving businesses vulnerable.

Many companies react similarly when faced with training shortcomings...double down on the training. This leaves the larger issue unaddressed; aside from training, how else can you better equip the staff to identify phishing emails? How can you setup the environment (people, process, and technology) to work better together, making it easier to identify phishing emails?

What's needed here is the CISO Mindset.

Take a Step Back

Education is a critical part of a strong defensive strategy, however, how can we help staff more accurately identify phishing vs. legitimate emails? Rather than throwing more expensive products or training at the problem, let's take a moment and rely on our expertise.

This scenario is the perfect opportunity to offer an Advanced Phishing Protection Service to your client. Leverage your cybersecurity expertise to develop solutions which guide employees to more accurately identify phishing attempts.

Do you offer Advanced Phishing Protection? Customized offerings generate additional revenue while better defending against a breach. It's a win-win. You can reduce response hours and deliver a differentiated, customized service at the same time. Here is how I'd go about building an Advanced Phishing Protection offering.


Sit down with each client and identify their external partners who deal with sensitive data, financial or other business-critical operations. Examples include:

  • Banks: wire transfers
  • Law firms: confidential client information, with emphasis on the largest accounts
  • Accountants: high net-worth account data and credentials for access to platforms that store returns

Your goal is to identify email flows which come with the greatest risk to the business, then identify ways to support the staff's mental model when determining if an email is a phishing attack.


Implement email practices that support the human-decision making process, such as adding tags in the subject line or displaying a noticeable message when communications don’t follow expected behaviors.

[Internal] vs. [External]

For example, add “[EXTERNAL]” to the subject line of emails coming from outside the organization. This augmentation can help employees avoid email spoofing attacks. Why is the CFO asking me to wire money to an account from an external email address? You’ve just altered the employee's built-in decision-making process. Adding the [External] identifier in Office 365 is easy. Simply create a mail flow rule to alter the subject line, this takes about five minutes to implement.

Other changes to support decision-making include:

  • Ensure that SPF, DKIM, and other domain/sender verification is enabled.  Present an error, or quarantine the email when verification fails to prevent spoofing.
  • Add a subject line tag when an email comes from a known highly sensitive email address or domain. For example, add the tag "[FROM BANK]" for emails coming from the business banking email addresses. Make sure to remove this tag and quarantine the email if it's not coming from the expected address as well, the logic needs to work both ways. Partners can benefit from adding "[FROM O365]" to help defend against the recent influx of attacks against MSPs as well.
  • Implement S/MIME signing with partners and educate staff to identify emails that fail verification.

Each step you take provides your clients with a valuable service which compliments their training program. By identifying your client’s sensitive communications, you are better equipped to identify potential attacks, and in turn, provide opportunities to sell while implementing stronger cybersecurity.

These proactive services don’t have to be complicated, as demonstrated by the process for adding email identifiers to help employees spot potential phishing attacks. In fact, there are many ways to make your advanced expertise in this area an invaluable resource for organizations that struggle with awareness training and other security issues.

Signup for our newsletter to catch the next installment of the CISO Mindset series, along with threat reports and other updates. You can also read the previous post A Tool for Developing Differentiated Security Solutions in the SMB Marketplace. To learn more about Todyl head over to Todyl.com.

  1. 2018 Verizon Data Breach Investigations Report
  2. Social Engineering: How the Human Factor Puts Your Company at Risk