By Steve “The Doctor” Meek | Talk To Th3 Doc Podcast | The Fulcrum Group
🎙️ Podcast Doc-umentary – Episode 120
The Friday Follow-Up: What We Learned—and How We Do It at Fulcrum
If you’ve listened to Ep. 120, you heard David Setzer and me unpack a basic truth: email is still the front door for modern attacks. And business email compromise (BEC) is the smooth-talking burglar. Threat actors don’t have to “hack” your network since they can just send you an email and walk in the front door. I like to say tech can be a faithful dog (call him SPOT, if you will)—loyal, hardworking, and occasionally chewing up your living room if you don’t set some house rules. Zero Trust can be the new house rules for the inbox.
Today’s post connects the big ideas from the episode to how The Fulcrum Group actually runs this in the wild for DFW organizations—manufacturers, cities, nonprofits, and professional services firms who can’t afford downtime or wire-fraud drama (or still dealing with a past incident or a near miss).
Zero Trust, in Human Terms
But first, a bit more about Zero Trust. It is a safety rule, not a software. Email was originally created for academics with the idea that every sender was OK. Zero Trust means we stop assuming anyone or anything is “safe” just because they’re inside the office, on the VPN, using a familiar device or using email on the Internet. Instead, every access request has to prove who it is, that it should be here, and that nothing suspicious is going on—every time. Think of it like a smart front desk that checks ID, purpose, and behavior on every visit, even for regulars.
Why Zero Trust for Email (and why now)?
From the episode: attackers don’t need to “hack the planet.” They just need one inbox to trust the wrong thing once. The Zero Trust concept for email simply means: verify identity, approve the message and minimize blast radius.
What David said (in plain English)
- Phishing and BEC now look polished—AI has made lures cleaner and more personal.
- “Default” Microsoft 365 is solid—but defaults are not a safe strategy.
- The best outcomes come from layering: identity controls + more modern email security + well-rehearsed response.
How Fulcrum seeks to impact “trust” for our clients
There are five main areas where we work to verify trust. Since security is best with layers the most secure organizations will have different protections in these different areas.
- Identity (prove who the person is—every time)
- Devices (allow only healthy devices to get in)
- Networks (assume the path could hostile)
- Applications & Workloads (access is appropriate for the context)
- Data (prioritize protecting what matters most)
Why are we talking about it for email
The FBI’s 2024 Internet Crime Report logged 859,532 Business Email Compromise complaints and $16.6B in total losses across scams; losses rose 33% year over year. BEC is a quiet, costly email scam that tricks teams into sending money or changing bank details. One “urgent” message that looks like it’s from your CEO or a trusted vendor can lead to wire or invoice fraud in minutes. For DFW small businesses, the damage hits cash flow, customer trust, and weeks of cleanup. BEC thrives on busy days and rushed approvals.
Is “Native Only” Enough?
We love Microsoft 365 and use it to the hilt—but in higher-risk or regulated environments, we’ll add specialized email security where it measurably lowers risk. The software change requires you to opt in senders by Trusting them, kind of how Facebook asks you to friend people you know. The tool also learns from prior and future actions. Move an item from junk mail to the inbox that you want, and it remembers you want it. Mark an item to Silence to Jail a gmail user, and future emails from that address won’t get through to your inbox. There is even a search tool included to help you look for errant messages that you might be expecting, giving users more power to find important messages they may be after.
Other ways Fulcrum Group Helps DFW Leaders
- Inbox Health Check (free check): run an automated comprehensive email security test on your own. Use your secure score to catch basic filtering best practices to determine if your filtering is good enough.
- STARpower™ Alignment: quarterly reviews so your gradually improve cybersecurity controls to match business change—M&A, new plants, new vendors, new risks.
- Security Awareness Tools: our standard offering includes Security Awareness Training for all your users (and some AI and Office basics). With a small uplift, we can also do simulated phishing, to test user behaviors.
If Ep. 120 resonated, let’s turn your new zero trust insight into a safer Monday.
Next Steps
Run a quick inbox health check (from the link above) to test your basic email security settings or reach out to us for an appointment to discuss, from the link on the side. It’s the first step on your journey to reduce your BEC attacks that targets executives and our direct reports, especially CFOs and accounting.
Or, Subscribe to our Talk To Th3 Doc podcast below to hear the full episode and form your own opinions.
Watch us on YouTube:
Find us on you preferred podcast platform.
