When I joined my last job I noticed that their email settings were misconfigured... EVERYTHING was going straight to the inbox, not even the most basic of spam filters were in place.

When I got filtering on observe-only mode I saw users were getting up to a dozen phishing emails every day.

We quickly did a hard simulated phishing test and most users opened the email but zero users clicked through.

Two years later, after we had excellent email filtering in place, our simulated phishing test had a 30% fail rate.

Take from that what you will!

Immune system exercise, interesting point. At least you’ve kept up the checks.