And apart from the phone - nothing. Long passwords, a ban on saving passwords in the browser, slapping hands so as not to write down on pieces of paper, holding weekly or monthly training sessions on who and what you can say about work.
It will be a little safer if you start using only a secure IMAP connection through an email client. But just a little. If it's safe at all.

No way. Accounts are not tied to an individual.

Delivered corporate Lastpass for this purpose.

why not an option? cheap and cheerful, well, at least they have work through google authenticator, but if you miss the phone and don’t back up the authenticator data, you won’t get access to the mail.

As already mentioned, two-factor authentication.
Generation of digital codes for 8 or 10 inputs (I don’t remember the exact number), printing them on a leaf and saving them. But in this case, you can not do without a phone number.
As well as adding a PC to the list of trusted ones, which will not require additional confirmation in the future.
When authorizing from other hosts, use previously generated codes.