Go back

IT Leader Single-Handedly Levels Up Email Security

IT Leader Single-Handedly Levels Up Email Security | Material Security

m read
No items found.

A high-profile investment firm conducts sensitive business over email with clients and employees across the United States. While a significant risk, this is the norm for most businesses.

“We are in a competitive market. If someone’s financials or candid conversations get leaked, and then the word gets out, no one will want to do business with us.”

For Brian, any product that tries to address this risk has to meet two critical constraints. First, it has to play nice with his users who would riot against anything that gets in the way of productivity. Second, it can’t just be another security tool that goes beep in the night and requires constant babysitting. Brian underscores this point: “I want tools that are just running and protecting the users without me getting involved.”

“I want tools that are just running and protecting the users without me getting involved.”

Brian rolled out Material for the investment firm after a tip from a colleague in the industry. The key benefit has been a considerable improvement in the firm’s resilience to email compromise while keeping operations smooth and straightforward for both Brian and his users.

Extending Duo to Stop Account Takeovers via Compromised Email

Much of the firm's workforce is independent, tech-savvy, and always on the hunt for the best tools to serve clients. The result is hundreds of SaaS services in use (many of which hold sensitive firm and client data) that don't support standard security controls such as SSO.

Without SSO, applications rely on email as an identity layer and are vulnerable to password resets by an attacker who uses a compromised email account to gain access. But even applications that support SSO often employ email-based password reset flows, either by default or due to misconfiguration. If someone gets access to the inbox, "they have keys to the kingdom and can reset passwords for all sorts of other apps" Brian explains.

Using Material’s Risk Analytics, Brian uncovered that his CRM, file-sharing services, major social media platforms, and many other apps were resetting passwords over email. Even the firm’s market-leading SSO platform relies on email for account resets, which means a compromised email account could cause a lot of damage:

“If someone gets access to the inbox, they have keys to the kingdom and can reset passwords for all sorts of other apps. With Material, they can’t get into our file store and other applications, because there is this additional layer of protection. This is such a game-changer to prevent a hacker from getting into other accounts.”

Material’s answer to this type of attack is Identity Protection, a feature that adds a simple authorization step for accessing password resets and other high-risk account verification messages. Brian implemented this protection first and used Duo (already available to all employees) as the authorization mechanism. The announcement—complete with a demo video—created a buzz which is rare for a security tool:

“I got a lot of emails from our executives asking how they could get this protection for their personal accounts.”

Resolving the Trade-Off Between Retaining Email and Reducing Risk

The trade-off between long-term email archive access and reducing the risk of data loss is common and completely impractical. Brian weighs, “would I rather not allow employee access to any email older than 12 months, carte blanche, or leave years of communications exposed in case of compromise?” Like so many organizations, much of the firm’s knowledge resides in email, and teams that handle sensitive data (Legal, Finance, HR, etc.) can’t do their job without access to older messages. Keeping all this sensitive data in email is also a huge risk.

“In the past, you had a decision about how many emails to retain and what to delete to reduce risk. Would I rather not allow employee access to any email older than 12 months, carte blanche, or leave years of communications exposed in case of compromise?”

Material’s Data Protection resolves this trade-off by redacting archived sensitive emails and adding a quick extra layer of authentication to regain access. Simple for a legitimate user, but not an attacker. The result for organizations: unlimited retention without unlimited risk. “If someone compromises the account, for anything that Material finds as sensitive, they won’t be able to get years and years of data. The exposure is limited to what we decide is appropriate. It could be just a few months for certain roles or even less,” Brian shares.

“If someone compromises the account, for anything that Material finds as sensitive, they won’t be able to get years and years of data. The exposure is limited to what we decide is appropriate. It could be just a few months for certain roles or even less.”

Once again, Material’s Risk Analytics allowed Brian to take a data-driven approach. He found that 82% of the firm’s email accounts held sensitive messages—with an average of 2,200 sensitive messages per account. And while some accounts held very few sensitive emails, others contained over 10,000 messages containing banking information, financial reports, confidential information, encrypted attachments, customer lists, and more.

In light of the variance, Brian configured Data Protection settings for different teams based on the type and volume of sensitive content they handled and also their specific access patterns. A task made significantly easier thanks to Material's built-in support for staged rollouts and group-level settings.

Building Collective Defense Against Malicious Emails That Beat AI/ML

The firm previously deployed multiple phishing blockers, including newer AI/ML-based tools, but some malicious messages always seemed to get through. In these situations, the firm’s workforce is an asset as they often spot and report suspicious messages. Like many other organizations, the security team doesn’t have the resources to respond to phishing reports 24x7, but attacks can come at any time.

“There are things that AI and ML will never be able to catch. So, it’s really interesting when someone can see something that is phishing and flag it and protect the entire organization.”

Material’s Phishing Protection is a low overhead way to take a big bite out of this problem. It enables even a single employee to immediately protect everyone else in the firm from similar phishing messages, even before IT or Security has investigated. The unexpected benefit—Brian didn’t need to retrain anyone to work with the new solution because Material seamlessly integrated into the firm’s existing reporting flow. He highlights that “people really appreciate the level of care and know that the tools are working behind the scenes to protect them.” Once again, employee feedback was unusual for a security rollout.

“People really appreciate the level of care and know that the tools are working behind the scenes to protect them.”

Since deploying Material, Brian has an upgraded assessment of his firm’s email security: “It just gives me another level of comfort to go about and do my business rather than worrying about email security.”

Best of all, Brian was able to deploy the entire solution on his own with minimal support from the Material team. Since then it has required no babysitting, meeting Brian’s goal of “just running and protecting the users without me getting involved.”

Privacy Preference Center

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.