A business spends a healthy sum each year on firewalls, endpoint protection, and monitoring tools, confident that its perimeter is well defended. Then an employee, busy and slightly distracted on a Tuesday morning, clicks a link in an email that looks exactly like it came from a supplier they deal with weekly. Within minutes, credentials are typed into a fake login page, and every pound spent on technical defences becomes almost irrelevant, because the attacker simply walked in through the front door with a valid set of keys.
The firewall was never the problem
Phishing remains the most common way businesses actually get breached, not because the emails have become more technically sophisticated, but because they exploit something no firewall can patch, ordinary human trust and everyday busyness. A convincing email does not need to defeat your security software at all. It only needs to convince one person, on one occasion, to hand over a password or open an attachment, and the layers of technical protection behind that person become largely beside the point.
Testing how well your perimeter genuinely holds up means looking beyond firewalls and patch levels entirely. A proper external network pen testing examines what becomes reachable once initial access is gained, precisely because that is the scenario phishing actually creates in practice, rather than testing purely for flaws that a technical scan alone would ever find on its own.

Why one email beats every layer of technical defence
The uncomfortable truth is that awareness training, while genuinely useful and worth investing in properly, cannot guarantee that every single employee resists every single attempt, forever. People are tired, distracted, or simply having an off day, and attackers only need to succeed once out of hundreds of attempts across an organisation. Businesses that treat phishing resistance as purely a training problem, rather than a layered one, often find that their technical spending was quietly protecting against threats that were never actually going to be the way in.
William Fieldhouse has seen this exact gap between spending and actual resilience play out repeatedly.
“A client with an impressively resourced security team was compromised through a single email that spoofed their finance director’s name, and their expensive perimeter tools never even registered the incident because the attacker simply logged in normally with stolen credentials.”
— William Fieldhouse, Director of Aardwolf Security Ltd
That last detail is the one worth sitting with carefully. Nothing was breached in the technical sense. Nothing was hacked. A legitimate login happened, using legitimate credentials, and every monitoring tool designed to spot intrusions saw exactly what it was built to see, an authorised user signing in as normal. The entire incident looked unremarkable right up until the financial transfers started, which is precisely why phishing remains so effective against businesses that feel technically well prepared for almost anything else.
Treating people as part of the defence, not the weak link
No amount of firewall investment changes the fact that a convincing email, sent to the right person on the wrong day, can undo months of careful technical spending in minutes. Understanding this gap starts with a genuine penetration testing quote that shows exactly what happens once someone inside the business is fooled, rather than assuming it will never happen at all. It is a conversation worth having before that email lands in someone’s inbox.
