Gusto Tackles Three Priorities With a Novel Approach to Email Security
- Gusto takes great care to manage email risk and regulated customer data across its large email footprint.
- Risk Analytics provided Gusto with data to inform and prioritize email security plans.
- Leak Prevention added a quick verification step to protect data in email archives against unauthorized access and misuse.
- Account Takeover Prevention protected SaaS apps holding sensitive data from compromise via password resets.
- Phishing Herd Immunity enabled every employee to protect the company without waiting for a security review and reduced triage time 91%.
- Gusto was able to automate the deployment of Material’s capabilities in full without requiring any ongoing support from in-demand IT or Engineering teams.
“At Gusto, every employee is serious about protecting our customers and ecosystem. We are using Material to take full advantage of the underlying APIs in our cloud email to protect against phishing, reduce ATO attacks, prevent sensitive data leakage, and more.”
— Fredrick "Flee" Lee, CSO, Gusto
Information security is essential when you handle payroll information for over 100,000 businesses and process billions of dollars in payroll annually. With a surface area this large, being extremely proactive is the only scalable strategy. Gusto always took security seriously and in 2019 hired Fredrick Lee (aka “Flee”) as CSO. He is on a big mission to safeguard the company’s entire ecosystem. Before Gusto, Flee led security at Square, which makes him no stranger to protecting the digital lives of millions of individuals and small businesses.
With businesses across industries using Gusto’s platform, safeguarding communications is mission-critical. Gusto established a solid security infrastructure with strong security controls built in and multiple protective measures in place. To reinforce its security and resilience at scale, Gusto sought out a partner that would share its commitment to handling sensitive communications with the utmost care, in a seamless, easy-to-use format that wouldn’t require ongoing support from in-demand IT or Engineering teams to implement and run.
Material met those crucial requirements for Gusto: being easy to operate and use while providing enhanced security measures that maintain Gusto’s strict data privacy protocols.
“Protecting Gusto’s email means protecting Gusto’s customers. Material reinforces that foundation of email security without introducing friction. It makes the right thing easy to do and enables our team to strengthen our security posture with just a few clicks.”
When Flee engaged Material, he outlined three objectives: 1) gain insight into potentially sensitive content in mailboxes—a common challenge for IT and security teams, 2) prevent unauthorized access to sensitive content, and 3) create company-wide resilience against phishing attacks. JR Babauta, Gusto’s Security Program Manager, took responsibility for delivering on each of these objectives.
For Gusto, there is another objective that is always present—maintaining a high bar for security and privacy of customer data. Material's deployment model, which allows customers to directly manage the underlying infrastructure, gives Gusto complete control over the security and privacy of messages that flow through the system. The entire application and data are always within the Gusto Security team’s oversight and monitored with immutable audit logs.
Reinforcing the Foundation for Email Security
Every great program needs a solid foundation and in security circles that means understanding risk factors. Material’s Risk Analytics surfaced three key factors to measure risk: email accounts, third-party app use, and interaction with external partners. For example, Risk Analytics identified settings that would further strengthen Gusto's security posture, and Gusto's security team addressed them with just a few clicks.
The ability to find, investigate, and manage messages at scale is another critical capability for day-to-day operations. But like many security organizations, Gusto knew that their email platform required overly broad permissions for message search. So, for privacy and security reasons they intentionally chose to limit search access:
“Material’s message search saves time without sacrificing security and privacy. Our team can find what we need and take action safely and even more efficiently than before.”
Material provides real-time search over email and exposes it with granular role-based access controls and an immutable audit log to help protect privacy. Now when Gusto's security team identifies a suspicious message, they can easily and safely take action to delete it or mark it as sensitive to protect it.
Securing Sensitive Email Without Slowing Down Productivity
With Material’s Risk Analytics, Gusto quantified the amount of potentially sensitive messages in their mailboxes. With data in hand, Flee and JR had addressed their first objective and focused on the second: preventing unauthorized access and misuse.
“At Gusto, we protect sensitive data wherever it lives, including email. We use Material because it's well tuned, focused, and does a great job.”
Gusto's approach is powered by Material's Leak Prevention capability. Leak Prevention protects email accounts by redacting sensitive messages in place and adding a quick extra layer of authentication (such as Duo or Okta) to retrieve them on demand. Simple for a legitimate user, but not for an attacker.
To be thoughtful about potential changes to certain email workflows, Gusto rolled out Material’s Leak Prevention in stages. JR tested with the security team to get feedback before gradually including other teams. He paid special attention to the grace period settings that determine when messages are redacted, tuning them to match the varying needs of certain teams. Leak Prevention enabled Gusto to better protect sensitive content in its most widely used communications platform:
“Leak Prevention is awesome. I trust Material to identify the right sensitive content. Leak Prevention protects us, but it doesn’t impede any daily activity.”
Once deployed, the Gusto security team wasn’t subjected to a common frustration with many security tools—noisy alerts lacking necessary context, exceeding JR’s expectations:
“Expecting our security team to monitor unreliable DLP alerts wasn't an option. Unlike many other security tools, Material's Leak Prevention doesn't require constant babysitting.”
Protecting Email as the Key to Third-Party Apps
Material’s Risk Analytics also uncovered more than a dozen important apps configured to allow password resets via email. Like other security-savvy organizations, Gusto uses SSO as a baseline control for cloud services to address this gap. However, all organizations using SSO still frequently deal with applications that reset passwords over email due to misconfiguration, lack of SAML support, or because they were set up without IT’s knowledge by end-users. Gusto recognized that many of their apps held sensitive data and wanted to add an extra layer of protection. Flee clarifies what was at stake:
“Email as the key to your other services has massively changed over the years. It’s connected to far more sensitive accounts and more of them. Today, your email identity is more important than passwords or 2FA.”
Gusto implemented Material’s Account Takeover (ATO) Prevention to require users to pass a challenge using an additional factor before accessing password reset emails. The rollout was simple and deployed simultaneously with Leak Prevention. JR has handled his fair share of security incidents and appreciates what ATO Prevention means for Gusto:
“I like ATO Prevention a lot. If an attacker compromises your email account, they can’t reset passwords for other applications and they can’t get to your sensitive data. If anyone ever experiences that, it will give our Gusties (employees) real comfort that their email is protected.”
With authorized access protection on sensitive emails and prevention for account takeover of third-party apps via email, the team had achieved their second objective.
Empowering Employees to Protect the Company Cut Triage Time 91%
At Gusto, security is everyone’s job. And that means security-related questions and concerns are routinely flagged to the security team by security-conscious employees. Gusto needed a solution that enabled Gusties to continue to bring these issues to light, while creating a scalable response process to keep pace with the volume of reports while cutting down substantially on triage time.
Gusto’s security team had noticed a rise in phishing attacks and knew that the existing phishing response process could be improved to keep pace with the ever-increasing volume of reports by security-conscious employees. The team had to handle each report individually, and typically needed about 45 minutes to triage incidents.
Material’s Phishing Herd Immunity makes it possible for one employee’s report to automatically protect an entire company from similar suspicious messages with minimal disruption and without the bottleneck of a manual investigation. The Gusto rollout was simple. Employees were well-trained in reporting messages, and when JR informed them that reporting instantly protected their colleagues, they embraced the novel approach:
“It only took one announcement to get the whole company on board. Gusties are really good about reporting suspicious emails. And that, in turn, makes Phishing Herd Immunity a very useful tool for us.”
The Gusto security team loved the improved workflow. An employee would forward a suspicious message, and Material would then create a cluster of similar messages and defang all links and attachments in them to show a warning if detonated. These post-delivery warnings were applied to messages already in mailboxes as well as similar future ones.
The team at Gusto always took triage seriously and now they no longer needed to “babysit the mailing list” or stress as much about urgent triage. In fact, rolling out Phishing Herd Immunity reduced Gusto’s triage time 91% with the elimination of repetitive triage steps for each near-identical reported message.
Today, Gusto can remediate entire message clusters at once with a range of remediation options and with varying levels of severity. JR describes the immediate and ongoing benefits for his team:
“The response time is now just 3-4 minutes instead of 45 because we don’t have to manually respond to the follow-on reports. And all employees are already protected automatically by the initial report. Our whole workflow has changed. I just go into Material and see that it’s working.”
Flee appreciated how quickly Phishing Herd Immunity protected Gusto employees and reduced the security team's workload. He had achieved the third objective: a company-wide resilience to phishing.
“We are working hard to eliminate the impact of phishing attacks on the Gusto ecosystem, and Material is playing a heavy role in our strategy.”
Easy To Operate While Maintaining Privacy and Control
JR deployed Material’s full set of capabilities without having to ask for help from Security Engineering, which allowed them to stay laser-focused on other priorities. It was easy to manage and didn’t overwhelm his other PM responsibilities:
“I’m surprised how easy it is and impressed with how much thought went into making it work. Material seems to just run itself. We are taking advantage of all of the functionality, which is a first for us. And yet we don’t need security engineers to operate it. It was unexpected, in a good way.”
And Flee’s feedback? After tackling his three objectives for email security, he offered one piece of advice:
“Material is email security. If you do anything with sensitive data, use it.”