Despite the growth of corporate messaging apps and other forms of communication, the humble email remains as vital a business tool as it’s ever been. For many, email has also become a de facto filing system: home to a treasure trove of years’ worth of documents and data, much of it commercially sensitive.
This has created a dilemma for organizations: with phishing attacks and other security risks looming large, how do they address the issue of email retention? Organizations have to design retention policies that manage around the common risks associated with email systems. But the solution of deleting emails after a certain amount of time hampers worker productivity.
The challenge of implementing an effective email retention strategy to address these issues was recently faced by senior management at Oportun, an A.I.-powered digital banking platform that seeks to make financial health effortless for anyone.
Meet Vice President of Technology & Cloud Operations, Veejay Leswal, and Director of Corporate IT Services, Danny Gray. Veejay and Danny were well aware that while old emails needed to be retained in some form so staff could access them if needed, something needed to be done to ensure the data in the company’s mailboxes remained secure. Veejay noted, "I have to hold all of this email data. It’s uranium for me! The data is radioactive."
“I have to hold all of this email data. It’s uranium for me! The data is radioactive.”
Oportun’s security team was tasked with finding a solution and, after research on available products in the market, the team met with Material Security to discuss how they could address the email retention debate. Veejay thought to himself, "This is either the most brilliant solution I’ve ever seen or it’s vaporware. But to my delight it actually did what I wanted it to do. It was the first time I brought a vendor in where everyone on the team was fully sold on bringing the solution in."
Material demonstrated their Data Protection solution, showing the Oportun team how they could redact potentially sensitive emails from staff members’ mailboxes and require users to pass an authentication challenge before accessing their contents.
“I thought to myself, ‘This is either the most brilliant solution I’ve ever seen or it’s vaporware.’ But to my delight it actually did what I wanted it to do. It was the first time I brought a vendor in where everyone on the team was fully sold on bringing the solution in.”
Simple Email Deletion Not the Best Solution
Organizations can find it tempting to implement a simple email retention policy that enforces deletion after a specific time (e.g. six months or a year after the email arrives or is sent). While this approach reduces the risk of attackers accessing old emails, it doesn’t gel with the need users occasionally have to access old communications.
First, Oportun’s team needed to understand what exactly lived in mailboxes. Veejay explained, "It’s really tough to understand what’s going on in email. You can go and run a PowerShell script and maybe figure it out. But with Material, it’s automatic and seamless."
Not only did Material provide Oportun’s team with detailed risk insights, but they also showed how Data Protection for Email could help secure sensitive data:
- Material automatically finds and redacts emails containing PII, financials, customer data, and other classes of sensitive content.
- Material integrates with Oportun’s MFA provider to add a layer of user authentication when accessing sensitive messages.
- Once the user verification is approved, users can instantly access the sensitive content directly in their mailboxes.
“It’s really tough to understand what’s going on in email. You can go and run a PowerShell script and maybe figure it out. But with Material, it’s automatic and seamless.”
The result is an email retention framework that keeps everyone happy: users can still access the older messages when they need them, and the security team can relax knowing the content of sensitive messages will not be accessible by unwanted eyes. Veejay shared, "Material’s solution is brilliant and simple. It enables you to protect the long tail of email while still keeping it available to employees. It helps protect us from day zero to whenever."
“Material’s solution is brilliant and simple. It enables you to protect the long tail of email while still keeping it available to employees. It helps protect us from day zero to whenever.”
For Oportun, it wasn’t enough to apply the highest level of security to their email. They also wanted to ensure the solution they went with offered the best possible user experience for staff.
As Veejay explains, the problem with traditional encryption services that also try to secure data is that the associated customer experience is not up to par, with multiple steps and actions required by the user.
With Material, the Oportun team was able to utilize their existing identity and access management tool – a tool that the company’s employees were already very familiar with. Veejay noted, "The lack of friction for me to get that email back is genius. I click the link, you hit my multifactor. I don’t have to enter anything."
This meant there was no need to download or provide training for another app. Employees could simply use what they’re already familiar with to protect even more at work.
“The lack of friction for me to get that email back is genius. I click the link, you hit my multifactor. I don’t have to enter anything.”
Uncovering Valuable Security Insights
Moving sensitive data workflows out of email
Beyond protecting individual pieces of sensitive information from hackers, Material’s solution has provided Oportun with another significant benefit: insight into the movement of sensitive emails both within and outside the organization.
Here's an example of Material's Risk Reports:
For teams that most frequently process sensitive information such as Legal and Procurement, a very quick locking period of one week was implemented with Material’s Data Protection for Email solution. This means authentication is required to unlock and view the contents of any emails labeled sensitive once a week has passed.
Oportun’s security team had implemented designated platforms for data sharing rather than sending sensitive information via email where it is more susceptible to interception or attack. Adding Material with the new one-week locking period for key departments proved an effective means of encouraging further transition to the secure products the company already owned for managing documents and data sharing.
Danny shared, "We encouraged users to pivot to the CRM and other designated data platforms rather than send and host so much data in email. We’re now able to get the users to adhere to best practices internally. That’s massive for us."
“We encouraged users to pivot to the CRM and other designated data platforms rather than send and host so much data in email. We’re now able to get the users to adhere to best practices internally. That’s massive for us.”
Identifying and securing shadow IT risks
Material’s risk analytics also exposes shadow IT risks, such as unauthorized web-based services in use at an organization. Material’s Identity Protection solution enables Oportun to detect and lock password reset or account login request emails directed to their employees from risky shadow IT services.
Here's an example of Material’s Risk Analytics showing how to discover unsanctioned third-party apps at play:
Great Experience and a Customer-led Product Roadmap
On top of the security benefits the solution has delivered, Veejay says Oportun has been extremely happy with Material’s customer experience: "Material understands the customers’ needs. They answer questions before my team can even say them. It is really rare to find a company that does so well from a technology and infrastructure standpoint that also matches the high bar with customer service and level of care.”
Even though the company has a larger enterprise employee base, user training and ongoing maintenance of the solution was extremely simple.
Rollout of the solution took only 25 minutes and Material made it easy with both the approach and its customer support, he says.
“Material understands the customers’ needs. They answer questions before my team can even say them. It is really rare to find a company that does so well from a technology and infrastructure standpoint that also matches the high bar with customer service and level of care.”
Veejay says Material’s roadmap has also been very customer-driven: "I feel we’re part of their product roadmap. It takes a lot to impress IT teams. Material does it easily."
Any issues are always resolved quickly and when Oportun has a request for a new feature they would like added, it is implemented in just one or two cycles, something he says is typically unheard of with other vendors.
“I feel we’re part of their product roadmap. It takes a lot to impress IT teams. Material does it easily.”