A small business uses a cloud-based email service. The IT administrator wants to protect against phishing attacks that target employees. Which security control should be implemented first?
WAF is not directly applicable to email; it protects web applications. MFA is a more direct control against phishing.
Why this answer
A Web Application Firewall (WAF) is the correct first control because it can inspect and filter HTTP/HTTPS traffic to the cloud-based email service, blocking malicious links, scripts, and known phishing payloads before they reach users. Since phishing attacks often rely on deceptive URLs and web-based content, a WAF provides a proactive, network-layer defense that reduces the attack surface immediately, without requiring user behavior changes or endpoint configuration.
Exam trap
Cisco often tests the concept that phishing is primarily a web-based attack vector, so candidates mistakenly choose user training (A) or MFA (D) as the first control, overlooking that a WAF provides immediate, automated filtering of malicious web content at the network perimeter.
How to eliminate wrong answers
Option A is wrong because weekly security awareness training, while valuable, is a reactive, human-centric control that relies on employee vigilance and does not block the initial phishing attempt; it should complement technical controls, not be the first line of defense. Option B is wrong because antivirus software on endpoints primarily detects and removes malware after delivery, but phishing attacks often bypass traditional signature-based AV by using social engineering or zero-day exploits, and it does not inspect the email service's web traffic. Option D is wrong because multi-factor authentication (MFA) protects against credential theft after a user is tricked, but it does not prevent the phishing email from reaching the inbox or block malicious links; it is a critical secondary control but not the first layer of defense against the attack vector itself.