What’s Your Blast Radius?

The email security market has spent a great deal of effort building walls higher, making them stronger, and patching cracks within them. There are countless tools available to stop phishing attacks: to block malware, detect risky links, and flag suspiciously-urgent language. 

These are all necessary, important efforts. But they’re also not enough.

Focusing solely on prevention ignores the inherent risk sitting within the cloud office: the data and access a compromised account gives grants to an attacker. We still see breaches occur from the tiny fraction of phishing that slips through even the best perimeter defenses, while attacks slip in through side doors are on the rise.

When a breach happens–and it will–how they got in is important, but not as important as what happens next? What’s the potential damage? 

In short: what’s the blast radius?

A cautionary tale in data hoarding

In August 2024, the New York Department of Financial Services (NYDFS) fined Healthplex, a dental insurance provider, $2 million over cybersecurity failures that led to a significant data breach. 

The story begins, as it so often does, with a phishing email. An employee clicked a link, the attacker got in, and a single mailbox was compromised. The fine largely stemmed from two glaring failures: the companies lack of multi-factor authentication (MFA), and its lack of timely incident reporting. 

Those are two critical and baffling failures. In 2025, MFA isn’t a nice-to-have: it’s fundamental. It’s the equivalent of leaving a spare key tucked under the welcome mat of a secure facility. And we’ve seen enough painful fines stemming from poor incident reporting to make having and following a comprehensive reporting plan an integral part of any company’s security program: particularly any company that deals in sensitive and regulated data.

But while poor access control and reporting are the root of the fine, they aren’t the most interesting part of the story. The scale of the breach itself stemmed from a third and far more prevalent failing: a complete reliance on perimeter defenses for the cloud office and a lack of detection and response capabilities within the inbox itself. 

The compromised mailbox at Healthplex belonged to an employee involved in assisting with customer service requests who had been with the company for over 20 years. Because the company failed to have a data retention policy in place, various reports on the incidents suggest that the mailbox contained more than 12 years of emails, including the private health data and NPI (non-public information) of tens of thousands of customers.

Think about that: a dozen years of correspondence and attachments completely opened up to an attacker, accessible through a single breached account. That initial intrusion was the spark, but over a decades’ worth of poorly-managed data was the gasoline.

The inbox as a liability 

The Healthplex story is a perfect, if painful, illustration of a problem that we see everywhere. It’s at the root of why we started Material years ago. The cloud workspace has become the central nervous system of the modern enterprise. It’s where work happens. Which means it’s also where our data lives–and often, it’s where it’s forgotten.

Your organization’s Google Workspace or Microsoft 365 environment isn’t just a suite of critical productivity tools, it’s also one of the largest, most unstructured, and most sensitive data repositories your organization owns. It’s a searchable, exportable, and highly-targetable archive of your company’s entire operational history.

As my colleague Kate Hutchinson recently discussed in her post, the old ways of dealing with this simply don’t work. Companies don’t keep this data around because they’re lazy or don’t care if that data is exposed: they keep it because blanket “delete everything after X days” policies are a fantasy. Your teams need to be able to access historical data to do their jobs–and certain departments and operations need to keep their records for legal reasons.

But because of this, the inboxes and file shares become massive liabilities. Each one is a potential fuse to an explosive breach.

Limiting the blast radius: thinking beyond the perimeter

We’ve been banging this drum for quite some time now, but the email security has been obsessed with the front gate for far too long. We’ve built a multi-billion dollar industry around analyzing inbound emails with the singular goal of answering the question: “is this good or bad?”

It’s the right question to ask, but it’s not the only question. We have to start thinking about what happens when a bad email inevitably gets through, or when a legitimate token from an integrated app gets stolen, or when an attacker lands in our inbox through any one of countless other vectors.

At Material, we start from the zero trust assumption that an attacker will get in. Not because we lack faith in our inbound protections, but because we can’t ignore the decades of proof that even the most cutting-edge technologies within the most secure infrastructure manned by the most well-staffed team of experts is still vulnerable to a clever or novel attack. 

We continue to expand and improve our inbound protections, just like everyone else in the industry. We still investigate every inbound message, running each one through layers of rules generated by our threat research team, analyze thousands of signals with our proprietary ML models, give customers the ability to quickly and easily build custom rules based on unique organization-specific threat intel, automate user report response, and more. 

But we don’t stop there. We also make sure we can answer other questions. How else could an attacker get into this account? Where could they pivot from here? How can we detect and stop that? And what can we do to minimize the blast radius if it happens?

This requires us to approach email and cloud office security from a fundamentally different position than every other email security provider on the market. Here’s how we approach it:

• Discover what’s there: Material uncovers the exposure of your entire organization and every single account within. Material automatically scanning and classifying the sensitive data in mailboxes and shared files, without the complex configuration and noise of traditional DLP tools.
• Understand the risk: The platform unifies email, data, and account security and provides a clear, account-centric view of the risk across your mailboxes and file sharing platforms. You can see which users hold the most sensitive data, and what an account compromise would actually mean. You can see which accounts have the most access to third-party apps, and the nature of that access (i.e. federated access or app-specific passwords that could be easily flipped once the mailbox itself is compromised).
• Shrink the impact: With a full understanding of where your riskiest data lives and who has access to it, it’s possible to mitigate that risk effectively. Material applies protection to sensitive historical data in emails–ensuring that if an account with decades of sensitive emails is compromised, the attacker won’t have access. It flags risky file sharing and works with users to remediate, minimizing risky file sharing without hampering productivity. It provides automated and one-click remediations to account compromises, turning a breached mailbox into a limited learning experience, not a seven-figure disaster.

It’s not a question of “if,” it’s “how bad”

Building higher walls is no longer a viable strategy by itself. The attacks are too persistent and sophisticated, our environments are too connected, and our users are too human. The conversation about email and cloud workspace security needs to evolve.

This isn’t a revolution, it’s an evolution. Asking “how do we keep them all out,” has been a fantasy since day one. The question we ask of email security must split into three parts–just as it has for cloud workloads, endpoints, and every other mature threat surface:

• “How do we keep as many of them out as possible?”
• “How do we detect them as quickly as possible if they get in?” 
• “How do we neutralize the damage they can do without hampering our users?”

Shifting the way you think about your inboxes might mean the difference between a minor incident and a multi-million dollar fine. So take a look at your environment. Take a look at the inboxes of your customer service reps, your finance department, your legal department, your executives. Ask yourself: what’s your blast radius? And what are you doing to shrink it?

To see how easy Material makes it to understand and shrink your blast radius, get in touch today.