Why the Inbox Is Still the Front Door
The most common way a business is breached has not changed in a decade. Neither has the fix. Most companies simply never finish it.
Ask a room of executives how they imagine a breach and most will describe something cinematic: a hooded figure, exotic malware, a wall of scrolling code. The reality is almost always duller and closer to home. Someone received an email that looked legitimate, clicked, and typed a password into a page that was not what it appeared to be. That is it. That is how the majority of businesses are compromised.
Email remains the single most productive attack vector against a company, and it is productive for a simple reason: it targets people, not machines. A firewall does not get tired at 4:45 on a Friday. A finance clerk does, especially when the message appears to come from the chief executive and asks for something urgent.
The three doors most companies leave open
When we assess a new client, we almost always find the same three gaps, in the same order.
1. Unauthenticated mail
Most domains never finish configuring the three records that make email trustworthy: SPF, which declares who may send mail on your behalf; DKIM, which cryptographically signs it; and DMARC, which tells the world what to do with mail that fails those checks. Companies frequently deploy the first two, set DMARC to "monitor," and stop. Monitoring catches nothing. Until DMARC is set to reject, anyone can send mail wearing your name.
2. Reusable second factors
Two-factor authentication is not a single thing. Codes sent by text message and tap-to-approve prompts can both be defeated by a determined attacker: the first by intercepting the code, the second by wearing the victim down with repeated prompts until they approve one to make it stop. Phishing-resistant factors (hardware security keys and passkeys) cannot be handed to the wrong site, because they refuse to authenticate to a domain they do not recognize.
3. Unhardened executives
The accounts worth stealing belong to the people with the least time to protect them. A single compromised executive mailbox is enough to authorize a fraudulent wire, reset a dozen other services, or impersonate the company to its own customers.
The inbox is not a technology problem that happens to involve people. It is a people problem that happens to involve technology.
What actually closes the door
The fix is unglamorous and well understood, which is precisely why it is so often left unfinished. In order:
- Move DMARC from monitoring to enforcement, carefully, so legitimate mail keeps flowing while forgeries are rejected.
- Replace codes and prompts with hardware keys or passkeys on every account that touches money, identity, or administration.
- Enroll executives and administrators in the strongest available account protection. For most organizations, Google Advanced Protection, supplemented by Microsoft AccountGuard where Microsoft 365 is in use.
- Train the specific people attackers target with the specific scenarios they will face, not a generic annual video.
None of this is exotic. All of it is boring. That is the point. The businesses that stay out of the headlines are rarely the ones with the most sophisticated defenses; they are the ones that finished the basics while their competitors left the front door ajar.
If you are not certain your DMARC is enforcing, or that your CFO could not be phished today, that uncertainty is itself the finding. It is also the easiest problem we solve.
