Phishing is not going away, it’s evolving. And users? With our current span of attention (9 seconds) and email overload, there is no chance of getting all our employees to be phishing detectives. We are just humans and therefore can be manipulated.

So, we have to assume that occasionally a phishing email makes it in – now what?

Now we need to set & TEST that our internal security controls will block & tackle the ensuing calamity, which means prevent, detect and respond to any malicious steps that follow the phishing payload activation.