Blog
/
/
April 10, 2023

Employee-Conscious Email Security Solutions in the Workforce

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
10
Apr 2023
Email threats commonly affect organizations. Read Darktrace's expert insights on how to safeguard your business by educating employees about email security.

When considering email security, IT teams have historically had to choose between excluding employees entirely, or including them but giving them too much power and implementing unenforceable, trust-based policies that try to make up for it. 

However, just because email security should not rely on employees, this does not mean they should be excluded entirely. Employees are the ones interacting with emails daily, and their experiences and behaviors can provide valuable security insights and even influence productivity. 

AI technology supports employee engagement in this non-intrusive, nuanced way to not only maintain email security, but also enhance it. 

Finding a Balance of Employee Involvement in Security Strategies

Historically, security solutions offered ‘all or nothing’ approaches to employee engagement. On one hand, when employees are involved, they are unreliable. Employees cannot all be experts in security on top of their actual job responsibilities, and mistakes are bound to happen in fast-paced environments.  

Although there have been attempts to raise security awareness, they often have shortcomings, as training emails lack context and realism, leaving employees with poor understandings that often lead to reporting emails that are actually safe. Having users constantly triaging their inboxes and reporting safe emails wastes time that takes away from their own productivity as well as the productivity of the security team.

Other historic forms of employee involvement also put security at risk. For example, users could create blanket rules through feedback, which could lead to common problems like safe-listing every email that comes from the gmail.com domain. Other times, employees could choose for themselves to release emails without context or limitations, introducing major risks to the organization. While these types of actions include employees to participate in security, they do so at the cost of security. 

Even lower stakes employee involvement can prove ineffective. For example, excessive warnings when sending emails to external contacts can lead to banner fatigue. When employees see the same warning message or alert at the top of every message, it’s human nature that they soon become accustomed and ultimately immune to it.

On the other hand, when employees are fully excluded from security, an opportunity is missed to fine-tune security according to the actual users and to gain feedback on how well the email security solution is working. 

So, both options of historically conventional email security, to include or exclude employees, prove incapable of leveraging employees effectively. The best email security practice strikes a balance between these two extremes, allowing more nuanced interactions that maintain security without interrupting daily business operations. This can be achieved with AI that tailors the interactions specifically to each employee to add to security instead of detracting from it. 

Reducing False Reports While Improving Security Awareness Training 

Humans and AI-powered email security can simultaneously level up by working together. AI can inform employees and employees can inform AI in an employee-AI feedback loop.  

By understanding ‘normal’ behavior for every email user, AI can identify unusual, risky components of an email and take precise action based on the nature of the email to neutralize them, such as rewriting links, flattening attachments, and moving emails to junk. AI can go one step further and explain in non-technical language why it has taken a specific action, which educates users. In contrast to point-in-time simulated phishing email campaigns, this means AI can share its analysis in context and in real time at the moment a user is questioning an email. 

The employee-AI feedback loop educates employees so that they can serve as additional enrichment data. It determines the appropriate levels to inform and teach users, while not relying on them for threat detection

In the other direction, the AI learns from users’ activity in the inbox and gradually factors this into its decision-making. This is not a ‘one size fits all’ mechanism – one employee marking an email as safe will never result in blanket approval across the business – but over time, patterns can be observed and autonomous decision-making enhanced.  

Figure 1: The employee-AI feedback loop increases employee understanding without putting security at risk.

The employee-AI feedback loop draws out the maximum potential benefits of employee involvement in email security. Other email security solutions only consider the security team, enhancing its workflow but never considering the employees that report suspicious emails. Employees who try to do the right thing but blindly report emails never learn or improve and end up wasting their own time. By considering employees and improving security awareness training, the employee-AI feedback loop can level up users. They learn from the AI explanations how to identify malicious components, and so then report fewer emails but with greater accuracy. 

While AI programs have classically acted like black boxes, Darktrace trains its AI on the best data, the organization’s actual employees, and invites both the security team and employees to see the reasoning behind its conclusions. Over time, employees will trust themselves more as they better learn how to discern unsafe emails. 

Leveraging AI to Generate Productivity Gains

Uniquely, AI-powered email security can have effects outside of security-related areas. It can save time by managing non-productive email. As the AI constantly learns employee behavior in the inbox, it becomes extremely effective at detecting spam and graymail – emails that aren't necessarily malicious, but clutter inboxes and hamper productivity. It does this on a per-user basis, specific to how each employee treats spam, graymail, and newsletters. The AI learns to detect this clutter and eventually learns which to pull from the inbox, saving time for the employees. This highlights how security solutions can go even further than merely protecting the email environment with a light touch, to the point where AI can promote productivity gains by automating tasks like inbox sorting.

Preventing Email Mishaps: How to Deal with Human Error

Improved user understanding and decision making cannot stop natural human error. Employees are bound to make mistakes and can easily send emails to the wrong people, especially when Outlook auto-fills the wrong recipient. This can have effects ranging anywhere from embarrassing to critical, with major implications on compliance, customer trust, confidential intellectual property, and data loss. 

However, AI can help reduce instances of accidentally sending emails to the wrong people. When a user goes to send an email in Outlook, the AI will analyze the recipients. It considers the contextual relationship between the sender and recipients, the relationships the recipients have with each other, how similar each recipient’s name and history is to other known contacts, and the names of attached files.  

If the AI determines that the email is outside of a user’s typical behavior, it may alert the user. Security teams can customize what the AI does next: it can block the email, block the email but allow the user to override it, or do nothing but invite the user to think twice. Since the AI analyzes each email, these alerts are more effective than consistent, blanket alerts warning about external recipients, which often go ignored. With this targeted approach, the AI prevents data leakage and reduces cyber risk. 

Since the AI is always on and continuously learning, it can adapt autonomously to employee changes. If the role of an employee evolves, the AI will learn the new normal, including common behaviors, recipients, attached file names, and more. This allows the AI to continue effectively flagging potential instances of human error, without needing manual rule changes or disrupting the employee’s workflow. 

Email Security Informed by Employee Experience

As the practical users of email, employees should be considered when designing email security. This employee-conscious lens to security can strengthen defenses, improve productivity, and prevent data loss.  

In these ways, email security can benefit both employees and security teams. Employees can become another layer of defense with improved security awareness training that cuts down on false reports of safe emails. This insight into employee email behavior can also enhance employee productivity by learning and sorting graymail. Finally, viewing security in relation to employees can help security teams deploy tools that reduce data loss by flagging misdirected emails. With these capabilities, Darktrace/Email™ enables security teams to optimize the balance of employee involvement in email security.

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Dan Fein
VP, Product

Based in New York, Dan joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s product suite. Dan has a particular focus on Darktrace/Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.

Carlos Gray
Product Manager

Carlos Gonzalez Gray is a Product Marketing Manager at Darktrace, based in the Madrid Office. As an email security Subject Matter Expert he collaborates with the global product team to align each product with the company’s ethos and ensures Darktrace are continuously pushing the boundaries of innovation. His prior role at Darktrace was in Sales Engineering, leading the Iberian team and specializing in both the email and OT sectors. Additionally, his prior experience as a consultant to IBEX 35 companies in Spain has made him well-versed in compliance, auditing, and data privacy. Carlos holds an Honors BA in Political Science and a Masters in Cybersecurity from IE University.

Watch the NIS2 Webinar
Book a 1-1 meeting with one of our experts
Get in touch
Share this article
Trending blogs
1
Our Annual Survey Reveals How Security Teams Are Adapting to AI-Powered Threats
Mar 4, 2025
2
Darktrace Releases Annual 2024 Threat Insights
Feb 19, 2025
3
From Hype to Reality: How AI is Transforming Cybersecurity Practices
Feb 10, 2025
4
From Containment to Remediation: Darktrace / CLOUD & Cado Reducing MTTR
Mar 6, 2025
5
RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal
Jan 14, 2025

More in this series

Default blog image
Flexible Deployments for Enhanced Email Security
Default blog image
Boosting Security Posture with Email Integration
Default blog image
Enhancing Security Teams with AI-Powered Email Solutions

Blog

/

Email

/

March 19, 2025

Global Technology Provider Transforms Email Threat Detection with Darktrace

Default blog imageDefault blog image

At a glance

  • Within just one month of using Darktrace / EMAIL, the volume of suspicious emails requiring analyst attention dropped by 75%, saving analysts 45 hours per month on analysis and investigation.
  • By offloading most manual, repetitive tasks to Darktrace / EMAIL, the company’s skilled security analysts can focus on developing new capabilities and tackling more complex, rewarding projects.
  • Darktrace recently detected and blocked a highly sophisticated and personalized phishing email that spoofed a Microsoft SharePoint and Teams website and used advanced engineering to impersonate the school of an employee’s family member.
  • The transition from the incumbent solution to Darktrace / EMAIL was seamless and undetectable to the company’s vast of customers and partners, reinforcing the security organization’s role as a business enabler—protecting the company and reducing risk without adding friction.

Securing a complex, distributed business without disruption

The company remains at the forefront of technological innovation and transformation; however, its success and ambitions come with the challenges of managing a distributed global business—balancing digital advancements, existing technology investments, and evolving compliance requirements.

Optimizing a complex tech stack for scalable growth

The organization operates a diverse technology stack spanning Windows, Mac, Linux, and multiple cloud environments, creating a complex and challenging IT landscape. The company’s Chief Information Security Officer (CISO) emphasizes the need for efficiency and agility. “Our goal is to scale and deliver new capabilities without increasing headcount, ensuring that costs remain proportionate to growth.”

Balancing security, governance, and business agility

Committed to responsible practices, this industry leader prioritizes secure and trustworthy technology for its customers who rely on its solutions. “Balancing business agility with governance is a constant challenge," said the CISO. "There’s always a natural push and pull, which I believe is healthy—but achieving the right balance is delicate.”

Protecting critical workflows without impacting productivity

For the organization, email is much more than just a communication tool. “Email plays a critical role in our engineering workflows and is fundamental to how we build our products.” Because of this, the company is extremely cautious about implementing any solution that could introduce friction or disrupt productivity. “There is zero tolerance for disruption, which is why we take a deliberate and methodical approach when evaluating, selecting, and deploying our tools and solutions,” he said.  

More than a vendor: A security partner invested in success

To ensure an optimal security infrastructure, the enterprise security team regularly evaluates market technologies to their existing solutions. With the rapidly evolving threat landscape, the CISO said they “wanted to validate whether we still had best-in-class protection and the right controls in place to secure our organization. It was about assessing whether we could do better in our ongoing effort to fine-tuning our approach to achieve the best possible outcome.”

The team evaluated 15 different email security vendors based on the following criteria:

  1. Efficacy to detect threats
  2. Ability to integrate with existing tooling
  3. Ease of use
  4. A vendor’s approach to partnership  

They initially narrowed the list to five vendors, conducting demo sessions for deeper evaluations before selecting three finalists for a proof of value (POV). We analyzed actual malicious emails with each vendor to assess the accuracy of their detections, allowing for an objective comparison,” said the CISO. Through this rigorous process, the Darktrace / EMAIL security solution emerged as the best fit for their business. “Darktrace’s product performed well and showed a genuine commitment to partnering with us in the long-term to ensure our success.”

The team objectively understood where there were gaps across the different vendors, where they were strong, and where they could use improvement. “Based on the analysis, we knew that Darktrace / EMAIL could deliver as the data supported it, in our specific use cases.  

Partnership, integrity and respect

Throughout the evaluation process, the importance of partnership and mutual respect remained an essential factor to the CISO. “I wanted a company we could develop a long-term strategic partnership with, one that could extend far deeper than just email.” A key factor in choosing Darktrace was the commitment and engagement of its team at every level of the organization. “Darktrace showed integrity, patience and a genuine investment in building a strong relationship with my team.  That's why we're here today.”

“Together, we've delivered some fantastic outcomes”

For the organization, Darktrace / EMAIL has played a crucial role in reducing risk, empowering analysts, and enabling a lean, effective security strategy. “Together, we've delivered some fantastic outcomes,” said the CISO.  

Reducing risk. Empowering analysts

“Within that first month, we saw a 75% drop in suspicious emails that that required manual review, which reduced the time my team spent analyzing and investigating by 45 hours per month,” said the CISO. The security team values Darktrace / EMAIL not only for its ease of use but also for the time it frees up for more meaningful work. “Giving my team the opportunity to tackle complex challenges they enjoy and find more stimulating is important to me.” As they continue to fine-tune and optimize balance levels within Darktrace / EMAIL, he expects even greater efficiency gains in the coming months.

Maximizing protection while staying lean

It’s important for the security group to be proportionate with their spending, said the CISO. “It's all about what is enough security to enable the business. And that means, as our organization grows, it's important that we are as lean and as efficient as possible to deliver the best outcomes for the business.”  Embracing an AI-powered automated approach is an essential component to achieving that goal. By offloading most manual, repetitive tasks to Darktrace / EMAIL, the company’s skilled security analysts can focus on more strategic and proactive initiatives that enable the business.  

Protecting employees from advanced social engineering threats

Recently, Darktrace detected a malicious email targeting an employee, disguised as a spoofed Microsoft SharePoint and Teams website. What made this attack particularly sophisticated was its personalization — it impersonated the school where the employee’s family member attended. Unlike mass malicious emails sent to thousands of people, this was a highly targeted attack, leveraging advanced social engineering tactics to exploit connections within the education system and between family members.  

Protecting without disrupting

A seamless migration is often overlooked but is critical to success for any organization, said the CISO. With a wide ecosystem of partners, email is a highly visible, business-critical function for the organization — "any friction or downtime would have an immediate impact and could throttle the entire business,” he said. However, the transition from their previous solution to Darktrace / EMAIL was exceptionally smooth. “No one realized we changed providers because there was no disruption — no incidents at all. I cannot emphasize just how important that is when I'm trying to position our security organization as an enabling function for the business that protects and reduces risk without adding friction.”

A security partnership for the future

“To survive as a business over the next few years, adopting AI is no longer optional—it’s essential,” said the CISO. However, with the cybersecurity market becoming increasingly saturated, selecting the right solutions and vendors can be overwhelming. He stresses the importance of choosing strategic partners who not only deliver the outcomes you need, but also deeply understand your organization’s unique environment. “You’re only as strong as your partners. Technology innovation and the cybersecurity market are always changing.  At some point every solution will face a challenge—it’s inevitable. The differentiator will be how people respond when that happens.”  

Continue reading
About the author
The Darktrace Community

Blog

/

AI

/

March 19, 2025

Survey findings: How is AI Impacting the SOC?

Default blog imageDefault blog image

There’s no question that AI is already impacting the SOC – augmenting, assisting, and filling the gaps left by staff and skills shortages. We surveyed over 1,500 cybersecurity professionals from around the world to uncover their attitudes to AI cybersecurity in 2025. Our findings revealed striking trends in how AI is changing the way security leaders think about hiring and SOC transformation. Download the full report for the big picture, available now.

Download the full report to explore these findings in depth

The AI-human conundrum

Let’s start with some context. As the cybersecurity sector has rapidly evolved to integrate AI into all elements of cyber defense, the pace of technological advancement is outstripping the development of necessary skills. Given the ongoing challenges in security operations, such as employee burnout, high turnover rates, and talent shortages, recruiting personnel to bridge these skills gaps remains an immense challenge in today’s landscape.

But here, our main findings on this topic seem to contradict each other.

There’s no question over the impact of AI-powered threats – nearly three-quarters (74%) agree that AI-powered threats now pose a significant challenge for their organization.  

When we look at how security leaders are defending against AI-powered threats, over 3 out of 5 (62%) see insufficient personnel to manage tools and alerts as the biggest barrier.  

Yet at the same time, increasing cyber security staff is at the bottom of the priority list for survey participants, with only 11% planning to increase cybersecurity staff in 2025 – less than in 2024. What 64% of stakeholders are committed to, however, is adding new AI-powered tools onto their existing security stacks.

With burnout pervasive, the talent deficit reaching a new peak, and growing numbers of companies unable to fill cybersecurity positions, it may be that stakeholders realize they simply cannot hire enough personnel to solve this problem, no matter how much they may want to. As a result, leaders are looking for methods beyond increasing staff to overcome security obstacles.

Meanwhile, the results show that defensive AI is becoming integral to the SOC as a means of augmenting understaffed teams.

How is AI plugging skills shortages in the SOC?

As explored in our recent white paper, the CISO’s Guide to Navigating the Cybersecurity Skills Shortage, 71% of organizations report unfilled cybersecurity positions, leading to the estimation that less than 10% of alerts are thoroughly vetted. In this scenario, AI has become an essential multiplier to relieve the burden on security teams.

95% of respondents agree that AI-powered solutions can significantly improve the speed and efficiency of their defenses. But how?

The area security leaders expect defensive AI to have the biggest impact is on improving threat detection, followed by autonomous response to threats and identifying exploitable vulnerabilities.

Interestingly, the areas that participants ranked less highly (reducing alert fatigue and running phishing simulation), are the tasks that AI already does well and can therefore be used already to relieve the burden of manual, repetitive work on the SOC.

Different perspectives from different sides of the SOC

CISOs and SecOps teams aren’t necessarily aligned on the AI defense question – while CISOs tend to see it as a strategic game-changer, SecOps teams on the front lines may be more sceptical, wary of its real-world reliability and integration into workflows.  

From the data, we see that while less than a quarter of execs doubt that AI-powered solutions will block and automatically respond to AI threats, about half of SecOps aren’t convinced. And only 17% of CISOs lack confidence in the ability of their teams to implement and use AI-powered solutions, whereas over 40% those in the team doubt their own ability to do so.

This gap feeds into the enthusiasm that executives share about adding AI-driven tools into the stack, while day-to-day users of the tools are more interested in improving security awareness training and improving cybersecurity tool integration.

Levels of AI understanding in the SOC

AI is only as powerful as the people who use it, and levels of AI expertise in the SOC can make or break its real-world impact. If security leaders want to unlock AI’s full potential, they must bridge the knowledge gap—ensuring teams understand not just the different types of AI, but where it can be applied for maximum value.

Only 42% of security professionals are confident that they fully understand all the types of AI in their organization’s security stack.

This data varies between job roles – executives report higher levels of understanding (60% say they know exactly which types of AI are being used) than participants in other roles. Despite having a working knowledge of using the tools day-to-day, SecOps practitioners were more likely to report having a “reasonable understanding” of the types of AI in use in their organization (42%).  

Whether this reflects a general confidence in executives rather than technical proficiency it’s hard to say, but it speaks to the importance of AI-human collaboration – introducing AI tools for cybersecurity to plug the gaps in human teams will only be effective if security professionals are supported with the correct education and training.  

Download the full report to explore these findings in depth

The full report for Darktrace’s State of AI Cybersecurity is out now. Download the paper to dig deeper into these trends, and see how results differ by industry, region, organization size, and job title.  

Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI