.svg){kind=icon}
Digital advertising agencies hold a treasure trove of information on their clients, including strategic messaging plans, executive contact information, and payment details. As a result, they must harden their security defenses to keep sensitive information where it belongs. One incident could mean the difference between a thriving creative partnership and a PR disaster.
The Challenge: Improving phishing protection while protecting data in inboxes
The digital advertising agency that’s the subject of this case study worked diligently to manage security with the native capabilities of Google Workspace. While Google provided a solid foundation, their Senior IT Manager was spending significant effort investigating user-reported phishing attempts and keeping up with security training.
In order to stay up to date with best practices on phishing protection, the Senior IT Manager found himself in constant contact with Google support to find new ways to improve security settings and create new detections and filters. He also had to strike a balance to make sure that users were not able to create work-arounds that might avoid the configurations he created.
At the same time, the Senior IT Manager was juggling a manual process of reminding users to be on the lookout for phishing attempts. This involved consistently training (and reminding!) users to carefully review email header and sender information for signs of suspicious activity. And of course, with increased user awareness of phishing comes an increase in phishing reports. While it was great to see that users were absorbing their training, each phishing report led to a manual investigation. This cycle of training and triaging was taking its toll on the Senior IT Manager.
While he knew a typical anti-phishing solution would help him with these issues, the agency had additional email security concerns they needed to address. They were facing an uphill battle to ensure compliance with Payment Card Industry Data Security Standard (PCI DSS). In order to make life easier for their client base, the agency accepted payments via credit card. But this meant that they had to comply with strict standards of how this data was stored and secured. As a hybrid company, email is the main tool they use to collaborate with clients. But when it came to processing credit card payments, standard email security wouldn’t help them comply with PCI DSS. Rather than slowing down business and forcing remote workers back into the office where they would be equipped to handle paper forms, locked cabinets, shredders, and even the dreaded fax, the agency looked for a better, digital solution.
The Solution: Material protects against phishing and protects data at rest in inboxes
After researching the email security solutions available to them, the agency chose to implement Material Security for its ability to block phishing attempts, create training moments, and secure email post-delivery. Implementation was a simple process of connecting to the agency’s Google Workspace environment via API, and the impact was almost immediate.
One of the first places the Senior IT Manager saw the value of Material’s approach was in the user-reported phishing process. Prior to implementing Material, he would investigate individual reports and apply remediations using Google’s native tooling. With Material, he was able to configure the platform so if a single user reported a phishing email, protection would automatically kick in and prevent other employees from clicking on the suspicious email. Better yet, Material groups similar emails into a single case for breadth of protection. Here’s how the agency’s CTO describes it:
“Material gives us what I call ‘distributed email intelligence.’ When one user marks an email as suspicious, all of the users in the company benefit from that. That is a huge improvement for us.”
Material is also used to provide phishing training for employees. The agency can send de-fanged examples of real world phishing attempts to test users’ awareness of different attack types. If an employee clicks on a link, they’re not exposed to danger, but they are given a friendly warning to be more careful in the future.
“It’s a night and day scenario since we’ve had Material,” explains the Senior IT Manager, “it just made it a lot more efficient to handle any phishing attempt.”
In addition to improving the agency’s phishing protection, Material also helps them comply with PCI DSS with its unique email data protection offering. When credit card information is detected in an email, that email will be redacted and can only be accessed with the inbox owner’s MFA authentication. This allows the agency to use email to collaborate and accept payment information from customers, while ensuring that that data is just as secure as if they were using paper processes. This has made the Chief Integration Officer’s life a whole lot easier:
“Material completely changed the way we look at PCI compliance because now we could go back to a digital solution. Having Material has really allowed us to control who is able to access this data, making sure that the right people can get it at any time.”
The Results: Broader coverage for email security, plus time savings
Today, Material secures the agency’s email both before and after delivery. The Senior IT Manager is saving time on manual tasks plus he has unmatched visibility into the types of threats the agency is facing. Material analyzes and classifies threat types so the Senior IT Manager can easily see whether a phishing attempt is showing signs of credential theft, business email compromise (BEC), ransomware, or another potential incident type. Armed with this knowledge, phishing training is more targeted and specific. Employees are exposed to real-world scenarios in a way that’s danger-free, but provides the Senior IT Manager with a better idea of where to focus additional training resources. “We want to keep it simple for users, and Material lets us do that” he explains.
But Material’s value didn’t stop at simplifying and strengthening the approach to fighting phishing. Material also gives the agency visibility into who’s accessing sensitive data that lives within inboxes.
“If someone tries to forward an email with sensitive financial information, we have a rule in place that will let us see it immediately,” says the Senior IT Manager. “We know every time someone opens or retrieves a sensitive document, we know who does it and how many times they've done it. Material gives us that breakdown per user, per email, by the minute.”
With Material, the agency has confidence that email is protected beyond the perimeter, with protection that extends into the inbox and across all employees. Material has provided a core capability that allows them to move at digital speed without compromising security.
.jpeg)
