Filtering and inbound controls on the primary attack vector.
The large majority of attacks start in the inbox; inbound controls stop most before a click.
What strong practice looks like
Email filtering / secure gateway and inbound screening controls.
What this area covers
Is email filtering or a Secure Email Gateway in place?
Email security is the protection that filters dangerous email before it reaches your team — blocking spam, malicious attachments, and fake “phishing” messages designed to trick someone into clicking a bad link or handing over a password. It’s often built into your email provider (Microsoft 365, Google Workspace) or added as a separate service (a “secure email gateway”).
Carriers ask because email is the number-one way attackers get in — most breaches start with a single bad email someone clicked.
CISA — Recognize and Report Phishing ↗ — what good looks like
Also covered in this area
- Email security product / vendor (if any)
- Which inbound controls are enabled?
This library is general education, not advice about your specific organization. It describes what each control is and what strong practice looks like; whether and how any of it applies to you is your decision, in consultation with your carrier, broker, or counsel.