I like to implement independent mail systems. No SSO BS. IT enters the password into the mail client while setting up the laptop and phone. The boss can't be phished if he doesn't know his password (of if the password has no use on the internet).

I also like to put everything behind a VPN (again no SSO). But the bigger the company gets, sooner or later this will come to an end. Because it's not "best practice" to not be phishable. Apparently what is needed are layers and layers of BS "security" products that can be tricked by a kid that has heard of JS. https://browser.security