Email security requires more safeguards: Why click rate is not the right metric

Many security teams still rely on click rates to measure phishing. It's simple to track and present, but it can be misleading. Tracking clicks is akin to "measuring the tide coming and going"—it naturally fluctuates and seldom indicates real-world impact.

The more critical question, which most programs struggle to answer, is: How much damage can an attacker cause if they access a mailbox?

This is the true measure of maturity. It's not about completion rates or who remembered to inspect a URL. Even with low click rates, a single inattentive employee can cause issues. Additionally, inbox breaches are increasingly common without any phishing attempts.

Phishing is merely an entry point; the real crisis follows

In incidents that concern CISOs, phishing is merely the entry method. The real issue is what occurs once an attacker gains access:

• They extract years of sensitive mailbox data and shared files.

• They use the mailbox to reset passwords for other applications.

• They exploit the compromised identity to phish other employees from a trusted source.

MFA isn't a foolproof solution here—there are numerous ways to infiltrate a cloud workspace that bypass it entirely. If breaches are unavoidable, the focus shifts from perfect prevention to resilience.

The Layered Approach to Robust Email Security - Email security requires more safeguards: Why click rate is not the right metric

Most email security solutions available today concentrate primarily on preventing inbound attacks. While prevention is undoubtedly crucial, it cannot be the sole defense. Modern threats are too rapid, too widespread, and too advanced. Relying solely on inbound protection is inadequate.

1. Prevention - This involves blocking incoming threats, correcting misconfigurations, and securing risky file shares. It includes taking all possible measures to thwart attacks before they happen.

2. Detect and Recover - This requires the capability to identify signs of compromise and account takeover before any harm occurs. It involves monitoring not just unusual login activities but also data access patterns, email forwarding rules, file sharing behaviors, and other indicators that an account is behaving abnormally.

3. Containment - This is about continuous risk mitigation that limits the extent of damage an attacker can inflict once they gain access to an account. It involves restricting their ability to extract sensitive data, move laterally, and propagate the attack within the environment. Email security requires more safeguards: Why click rate is not the right metric

Many organizations perform reasonably well in prevention, though often with a limited scope. More advanced organizations possess some detection and response capabilities. However, very few manage containment effectively.

The Missing Layer: Containment

Containment may not be flashy and doesn’t fit neatly into a conventional security category, but it can significantly reduce the impact of a breach.

Consider it like this: prevention involves maintaining your car, driving cautiously, and avoiding accidents. Detection and response involve ensuring everyone’s safety and calling for assistance after an accident. Containment is akin to seatbelts and airbags: the safety features that minimize the severity of a crash.

Containment isn’t just a buzzword; it’s a collection of practical controls targeting an attacker’s objectives after a compromise:

• Make mailbox exfiltration more difficult: Why should accessing an account grant unrestricted access to years of personal information and financial documents? Internal segmentation—requiring additional verification for sensitive emails—restricts what an attacker can "loot."

• Prevent lateral movement via password resets: If there’s one control that can alter the course of a breach, it’s this: intercept password reset emails and enforce an additional MFA challenge to ensure a compromised mailbox doesn’t lead to a compromised identity.

• Address "settings debt": Attackers thrive on outdated defaults. Disabling IMAP/POP (which bypasses MFA) and clearing out app-specific passwords are basic hygiene measures that substantially reduce your vulnerability.

Advancing Beyond Manual Triage

The main challenge for most teams is time. No one has the capacity to manually review every file permission or evaluate every user report.

If you’re committed to containment, you need systems that handle the monotonous tasks automatically—identifying risks and addressing them in the background—so your team only gets involved when judgment is truly necessary.

Alternative Metrics to Consider

While click rate is just a superficial indicator, these metrics truly represent your risk:

• Mailbox lootability: What amount of sensitive information can be accessed without additional verification?

• Reset-path exposure: How many essential applications are vulnerable to email-only password resets?

• Time-to-contain: How quickly can you restrict an attacker's actions once they have gained access?

Email security has long focused on the front entrance. It's crucial to start questioning: if an attacker is currently in a mailbox, what actions can they take in the next ten minutes—and how swiftly can you revoke that capability?