As cybersecurity professionals, we work each day to protect against a wide variety of threats. Attackers probe our firewalls with port scans, search out application security flaws and wage other exotic attacks against our systems. While those threats are real, the controls we use to address them don’t touch the No. 1 threat that affects organizations on a daily basis: phishing.

Phishing attacks are nothing new. They’ve certainly increased in sophistication over the past 20 years, but attackers have consistently used them to gain access to systems and information over the years for one good reason: They too often work. Let’s look at three security controls that organizations can put in place today to reduce their risk of falling victim to a phishing attack.