Some 90% of targetted attacks start with email. These are generally phishing attacks: the email purports to come from a reputable person or company and its apparent validity persuades the recipient to disclose personal information such as passwords or credit card numbers. Most email attacks require the victim to take some sort of action: open an attachment, allow a macro to run, click a malicious link or respond to a fraudulent request to transfer money. Because today’s attacks are aimed at people, defences need to focus on protecting people, educating them and doing everything possible to ensure they are not tricked, exploited or compromised. How can companies put people at the heart of cybersecurity?