Email: The Silent Killer?
3–30–2026 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, March 30, 2026. The Iran War continues, and appears to be intensifying for all parties involved, and lots of those not directly involved (like the neighboring Gulf states).
That’s going to drive most of our discussion today, following last week’s announcement that Iranian hackers had breached FBI Director Kash Patel’s personal email.
Email - The Silent Killer?
In addition to some goofy looking photos from Patel’s earlier days touring Cuba and smoking cigars, TechCrunch notes that “Patel appears to have sent emails from his former Justice Department email address in 2014 to his Gmail account. TechCrunch found that the emails sent from Patel’s DOJ account also appeared to be authentic.”
I’m going to continue to leave the politics of all this for others to cover and stay focused on the cyber angle.
There are a few things we should take away from this set of interesting circumstances.
First, I think it’s worth just talking about the risk that email poses to many organizations. Lots of folks use email as their both their storage and archive system, as well as their daily backup system.
We also have a tremendous amount of both automation and approval workflows that hinge on email, making the compromise of the inbox potentially incredibly damaging across a number of threat vectors.
Beyond that, we also know that email is typically available on lots of devices (including non-managed personal mobiles, and via web portals).
All of this has perfectly logical business rationale, especially since we’ve built all of these dependencies on the inbox.
At the same time, we really really really need to be mindful of what people are keeping in their inboxes. It’s not uncommon for us to encounter during a risk assessment PII from current, past, and prospective employees.
We also find ePHI from HR teams handling things like long-term disability claims.
We also regularly encounter users who never delete an email, meaning that we’ve got their entire professional communications available to anyone who can access that inbox, or to a discovery request.
The old maxim “if you don’t need it, delete it” applies here - now more than ever.
At the same time, those basics we keep talking about (including robust, phish-resistant MFA, and the ability to manage devices that can access your email tenant) go a long way towards cutting down on these type of attacks against your own email infrastructure.
But, what about personal email, as we see in this case? Obviously we can’t control that, but we can implement both policies and technical controls that limit employees from using personal email for official business (something that Patel was likely in violation of with his forwarding of DoJ emails to his Gmail).
You can also block auto-forward rules on your email tenant (useful, too, in defending against BECs), and get notified when users try to install those (useful in detecting when someone may be getting ready to depart from the organization, for instance).
That said, it’s not a perfect system, and we need to train, inform, and enforce if we hope to have a fighting chance.
Modern DLP systems, including Purview, can help manage this risk down, but the risk won’t go away just as email itself won’t go away. Similarly, the risk in handling sensitive or regulated data won’t go away - so make sure you’re giving your teams secure and reliable ways to handle, transmit, and store that data, and training them on why, exactly, it might not be the best idea to forward these things off to your personal accounts.
Follow-Up Items
By way of follow-up from last week, Stryker has not posted a single update since we last spoke, their 3/23 note being the most recent one on their Customer Update site.
We also got a Part II post to the Delve saga, where the author asserts that the firm isn’t actually a software company, but rather a services firm seeking software multiples in terms of valuation.
Moving rapidly towards the inside baseball stage of things, but worth following if you do any TPRM work or review SOC 2s on behalf of your organization.
Fundraising
From a fundraising perspective, somewhat smaller numbers last week, with only just under $10B in newly committed capital, led by:
Lead Edge Capital raised $3.5b for its seventh flagship growth equity fund; while
Kleiner Perkins raised $1b for its 22nd early-stage fund and $2.5b for a growth fund.
That lower number seems to be a blip, as I’ve already seen fundraising announcements from this morning that eclipse last week’s total.
Again, a rationale that I don’t understand, so just leave me to my Vanguard lifecycle mutual funds, thanks.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://www.stryker.com/us/en/about/news/2026/a-message-to-our-customers-03-2026.html