There’s an old maxim in IT: prevention is better than cure. Yet in the context of email security, the industry remains fixated on click rates—the percentage of users who interact with phishing attempts—as though this metric provides a comprehensive view of organisational risk. According to Material Security, this perspective is worryingly narrow. It overlooks the real threat: what cyber attackers are capable of once they have evaded perimeter defences and gained a foothold inside a user’s mailbox.
It’s not hard to understand the attraction of measuring click rates. The figures are clean, easy to report, and seem to offer a tangible gauge of training effectiveness. Yet this is misleading. Security, like road safety, cannot be reduced to a single behaviour such as seatbelt use. Modern attackers, once inside an inbox, have far greater freedom: they can search for sensitive information, establish mail forwards to exfiltrate data, or exploit trusted access to move laterally within an organisation. The act of clicking is only the beginning.
Material Security highlights the true battleground: rapid detection and containment of compromised mailboxes. Suppose an employee is deceived by a sophisticated phishing message. The real test isn’t the initial mistake. What matters is how quickly containment measures can be enacted—whether rules are in place to detect suspicious forwarding, if anomalous logins are flagged, and how efficiently an operation team can intervene to prevent data loss or further compromise. While preventive controls remain foundational, effective incident response is now indispensable.
A more mature approach to email defence accepts the likelihood of compromise. Controls should be designed to minimise the impact, incorporating mechanisms like suspicious forwarding alerts or automated session shutdown for hijacked accounts. Constant monitoring for abnormal access or outbound mail patterns helps identify issues before they escalate. Preparation is equally critical: educating users and IT teams to react swiftly to incidents ensures resilience even when prevention fails.
It’s tempting to take pride in low click rates, but a true measure of email security maturity is found in how an organisation responds and recovers once a breach occurs. In IT, breaches are not a question of if, but when—and what follows is what truly counts.
*Original story: https://www.bleepingcomputer.com/news/security/email-security-needs-more-seatbelts-why-click-rate-is-the-wrong-metric/*
