
Let’s start with the uncomfortable bit: given enough emails, someone in your business will click a phishing link. Not because they’re careless, but because modern phishing is designed to work on busy people having a normal day.
The email arrives at 4:45pm. It looks like it’s from your bank, or Microsoft, or the boss. It’s urgent but plausible: a missed payment, a full mailbox, “are you at your desk? need this sorted before my flight.” Your employee isn’t weighing evidence like a detective; they’re clearing an inbox so they can go home.
Telling people to “be more careful” doesn’t fix this, any more than telling drivers to “be more careful” replaces seatbelts. What fixes it is layers, so that one click doesn’t become one disaster.
Layer one: fewer bad emails arrive
Most phishing should be stopped before a human ever sees it. Modern email filtering, plus three settings with ugly names (SPF, DKIM, and DMARC), dramatically cut what lands in inboxes. Those three also stop criminals sending emails that pretend to be you, which protects your customers and your reputation. Many businesses have them half-configured or not at all; it’s one of the first things we check.
Layer two: a click isn’t a catastrophe
Assume the click happens. What stands between the attacker and your data?
- Multi-factor authentication. If a password gets phished but sign-in needs a second factor, the attacker gets a password they can’t use. This is the single highest-value security control available to a small business, and it’s included in licences you probably already pay for.
- Sensible permissions. If the person who clicked can only access what their job needs, the damage stays contained. If everyone can see everything, it doesn’t.
- Tested backups. Ransomware’s whole business model is that you can’t get your data back. Backups that are isolated and tested remove the leverage.
Layer three: training that isn’t a lecture
Security awareness training has a bad name because it’s usually a 40-slide deck once a year. What works better is short and regular: five minutes, real examples, no blame. Simulated phishing emails help too: not to catch people out, but to make spotting the real thing feel routine.
One rule beats all the posters: anyone who thinks they’ve clicked something dodgy should feel safe saying so immediately. A reported click at 4:50pm is a non-event. The same click hidden until Monday because someone feared getting shouted at? That’s how you end up in the news.
The 20-minute version
If you do nothing else this month: switch on MFA for every account, check your backups actually restore, and tell your team that reporting a suspicious click will always be met with “thanks for telling us fast”.
If you’d like a second pair of eyes across all of it (filtering, MFA, backups, and the settings with the ugly names), that’s squarely inside our free IT health check. Thirty minutes, plain English, no scare tactics.
