From inbox zero to zero inbox

Call me, Ishmael.

Or text me, Slack me, invite me to a Teams meeting, message me on LinkedIn … just please, for the love of security, stop emailing me.

This is my Great White Whale.

We need to get rid of email. Let me explain why you should hate it as much as I do.

Email is the largest attack vector

It’s crazy: we’ve normalized a system where anyone on Earth can reach anyone in your company, at any time, for any reason. If someone invented email today and pitched it to a CISO, we’d laugh them out of the room.

“You want us to let anonymous strangers send unverified messages directly to every employee, and those messages can include links, attachments, and spoofed internal addresses?”

It sounds ridiculous—because it is. Imagine someone proposing, “Let’s give every person in Russia access to our Slack workspace.” You’d say no without even blinking. But that’s effectively what we’ve accepted with email.

Email is the origin point for:

• 90% to 94% of breaches: Cybersecurity firms report that the vast majority of successful cyberattacks involve email, typically phishing or malicious attachments.

• 80%–90% of malware infections: Verizon’s Data Breach Investigations Reports show, year after year, most malware infections begin via email links or attachments.

• Phishing as the primary entry method: Email-based phishing remains the most common method attackers use to gain access to or credentials across organizations of all sizes.

Email is one of the most consistently exploited entry points in any organization. From ransomware to spoofing to credential theft, attackers rely on email because it’s easy, effective, and vulnerable.

So, why are we still using it?

Whenever I float the idea of limiting email, people look at me like I just suggested we power the company with hamster wheels. "We need email to do business," they insist.

Do we, though?

Or have we just fallen into the “That’s the way we always did it” trap? And if we really need it, can we at least limit it to those who genuinely require it, for actual business-critical external communication? Our inboxes are full of noise, distraction, and danger, not business-critical communication. Here are the subject lines your team gets daily:

• "Final Reminder: Act Now!" (the same message you got five times this week)
• "Re: Your recent payment" (you didn’t make one)
• "URGENT: HR Policy Update" (spoiler: it’s malware)
• "Your Microsoft 365 password is expiring" (it isn’t)
• "Invoice Attached – Please Process Today" (don’t open it)

These aren’t just annoyances—they’re active threats. Yet we still consider email essential.

The tools you have already replace the need for internal email

Modern internal tools designed for real-time communication, structured workflows, and transparent collaboration have already eliminated the need for internal email. Platforms like chat tools, project boards, and secure document systems are built with today’s teams and threats in mind. They create digital spaces that are easier to secure, easier to manage, and far harder for attackers to exploit. It’s not about doing less communication—it’s about doing it smarter.

Many functions do not need email

1. Customer Success: They’re probably using a platform like Zendesk to interact with customers. They might need a domain-based email address for brand consistency and internal meetings, but not an active mailbox or inbox to manage manually.
2. Internal IT & Help Desk: These teams already live inside ticketing platforms like ServiceNow, Jira Service Management, or Halo. Redirect users to open tickets there. Keep a single, internal access-only, monitored alias (e.g., it@) that auto‑creates tickets; staff don’t need individual mailboxes.
3. Engineering & DevOps: Collaboration happens in GitHub/GitLab issues, pull‑request comments, Confluence pages, and Slack. Critical alerts flow through PagerDuty or Opsgenie. Personal email adds little value—and lots of risk.
4. Finance & Accounting: Payables and receivables flow through your ERP or AP portals (e.g., NetSuite, Bill.com). Provide a guarded finance@ alias that routes into the ERP; remove individual finance mailboxes.
5. HR & Recruiting: Applicant‑tracking systems (Greenhouse, Lever) and HRIS platforms (Workday, BambooHR) include secure messaging modules. Candidates and employees interact through the portal; HR staff can skip personal inboxes.
6. Facilities & Operations: Use maintenance‑request systems (e.g., OfficeSpace, Hippo CMMS) or a dedicated Slack channel. A facilities@ alias can pipe requests straight into the tool without requiring staff inboxes.

Use shared, monitored aliases instead of individual emails

Shared, monitored aliases still let you talk to the outside world like a civilized org—no smoke signals necessary. We already do this in some of our areas. And those emails go to the proper tools to manage the workflow: support@mycompany.com goes to your customer platform, accounts@mycompany.com goes to your bill-paying application, et cetera. So, why not have saas.sales@mycompany.com be accessible by whoever is looking at buying applications at your company? People can be added or removed from the alias as needed by IT.

By trimming down individual inboxes, you’re not just shrinking the attack surface—you’re Marie Kondo-ing digital chaos. Fewer inboxes, fewer breaches, more joy.

What about the rest of the org that truly needs email for external communication: CEO, Marketing, etc.? This is where white- and black- listing becomes easier, more manageable. You are still targeting Zero-Trust. You are still doing Defense-in-Depth. You have reduced your attack surface by 50% (at least) by the above.

What if I still find email useful?

So can a sharp stick. But not if you poke it in your eye. Also, when’s the last time you actually needed a sharp stick? You’ve replaced sharp sticks with more honed tools that are actually appropriate for the job: a fork, a knife, a spear, a Q-tip.

Want to share a document internally? Use Google Drive, SharePoint, or Dropbox. Want edits tracked? All document tools, such as Word, Google Docs, or Notion, do this.

Want approvals, and not just from your family members? Docusign, HelloSign, and Adobe Sign have that covered.

Need a quick back-and-forth? Slack, Teams, or even SMS is faster, searchable, and more secure.

Need a status update! Use project boards like Asana, Jira, and Trello.

Sending a file? Upload it securely—don’t risk an attachment getting spoofed or blocked, or forwarded.

And the fact that we are still doing invoicing by email is criminal! You're transmitting sensitive financial documents through a system that invites impersonation, forgery, and human error. There are purpose-built tools that track, verify, and secure invoice exchanges—use them. Emailing invoices in 2025 is like leaving cash in an unlocked mailbox and hoping for the best. That’s what your accounting software is for.

Furthermore, these collaboration tools allow for limited, secure, and loggable sharing with external resources as well.

OK, OK, but all of those tools require an email to activate.

Sure, many tools use an email address as a login ID—but that doesn't mean you need an active inbox behind it. With single sign-on (SSO) and identity providers, you can provision access, enforce MFA, and manage user identities without giving anyone an actual mailbox. Think of it like having a phone number for your smart fridge—it identifies the device, but no one's expecting it to answer a call.

Also, you don’t need a smart fridge.

Really.

Just. No.

Here’s your implementation blueprint

Let’s say you’re ready to start reducing inbox dependency. Frame the shift not as a lockout from email, but as a way to reduce noise, increase security, and streamline communication. Be transparent: you're not cutting people off from the outside world—you’re protecting them from the worst parts of it. Make it clear that employees will still have the tools they need to do their jobs, just with less risk and less clutter.

1. Start with a pilot group. Pick a low-risk team (like Facilities or Customer Support) and eliminate individual inboxes, routing all external comms through a shared alias linked to a ticketing or messaging system.
2. Audit your tools and workflows. Identify where email is just the lazy default. Can a Slack workflow, project management tool, or HR platform handle the same task with more transparency and less risk?
3. Create a “No Inbox Needed” list. Document roles and systems that don’t require personal email inboxes. This list becomes your lighthouse.
4. Train users. Show people how the new systems work. Let them know where to send requests, how to respond, and what their new workflows look like.
5. Enforce through identity management. Use your SSO provider to provision access without inboxes. Add MFA, session timeouts, and logging.
6. Monitor and iterate. Measure success by reducing phishing attempts, email volume, user complaints, and incident response time. Adjust where necessary.
7. Tell the story. Communicate your success to leadership and other teams. Momentum builds when others see how much time, risk, and chaos are avoided.

Email is the gift your mother-in-law gave you for your wedding. You don’t like it. You don’t need it. But you’re afraid that one day she’ll come over and ask about it. So you keep it around, pretending to enjoy it for her sake. You don’t need to kill it everywhere. But you should absolutely start sharpening your harpoon (for email, not your mother-in-law).

I am certain there is fear and uncertainty around this, but do not doubt. If you succeed, you’ll be praised by everyone who’s ever sighed at their inbox (so... all of us). You’ll be hailed as a visionary by leadership. And sure, maybe when you spear the whale, the ship will take on a little water—but if you do this incrementally, you can avoid sinking. And Ishmael? He can write a whale of an after-action report.

About the authors

Hadas Cassorla, JD, MBA, CISSP has a lot of letters after her name, but the three letters she cares the most about are Y-E-S. Marrying her improv and legal background into technology and business, she helps organizations build strong, actionable and implementable security programs by getting buy-in from investors, the boardroom and employees. She has founded her own business, Scale Security Group, and has built corporate security offices from ground-up.