Email security incidents happen every 12 hours – and, no, it’s not because of phishing

November 23, 2020

Tony Pepper

Data breaches caused by outbound email are prolific. Usually a result of inadvertent errors or risky but well-meaning behaviour, although sometimes with personal gain in mind, sensitive data is leaked by email once every 12 working hours. Ninety-three percent of CISOs and IT leaders acknowledged in the 2020 Outbound Email Security Report that sensitive data had been put at risk in their organisation due to outbound email in the last 12 months.

More importantly, though, when asked to quantify this, on average each organisation experienced 180 incidents per year when sensitive personal data or privileged client information was put at risk. In an average working year, that’s one incident every 12 working hours. What’s causing outbound email data breaches? The incidents themselves occur as a result of all-too-common actions:

·        Adding  one or more incorrect recipients, often due to Outlook autocomplete

·        Attaching the wrong file(s)

·        Forgetting to use Bcc

·        Adding unauthorised recipients into email chains

·        Sending data to a personal email address

·        Intentionally taking data to a new job or leaking it as part of corporate espionage

The list could certainly go on! Interestingly, it’s actually the inadvertent errors that are causing the most harm to organisations. In the UK, the Information Commissioner’s Office’s (ICO) security trends for the first six months of 2020show that ‘data emailed to incorrect recipient’ is the top cause of reported incidents and, between April and June, was responsible for40% more incidents than phishing attacks.

When we consider why accidental data leaks via email are such a prolific problem, it comes down to changes in the way we utilise technology and people’s behaviour. Let’s start with the way we use technology. We can all accept we’re creating, collecting and storing far more digital data than ever before. The COVID-19 pandemic has only amplified this, with half of organisations experiencing an increase in outbound email traffic of more than 50% - and with more data being shared by email, comes an increased risk of data leaks.

The growth of cloud has also eroded the security perimeter. No longer can we rely on the notion that we’re safe ‘on the inside’ of the organisation’s network–we’re   all   interacting with data and applications from a myriad of different locations, including when we’re travelling between them!

The perimeter is now the person: the user who’s sending client files in a rush as their train pulls into the station (more common in pre-pandemic days) or, in recent months, the employee who’s sending that email while trying to simultaneously ensure their child is logged into remote learning successfully or trying to catch a delivery driver before they leave the doorstep.

Next, when we think about the process for writing an email. For many it follows a similar pattern: more time and attention is spent crafting the message body, less time and attention on adding recipients and attaching files. That’s because we view the message as the primary activity, the one of most importance.

We want to ensure we get the correct tone and include all the relevant information. In comparison, we’re paying less attention when it comes to the ‘easier’ part of adding recipients and attaching files; we start to relax, our concentration lessens and we move onto thinking about the next thing we need to accomplish. When autocomplete suggests the wrong recipient, we simply don’t notice and quickly hit ‘Send’.

Why haven’t we solved this problem before?

There are two reasons we’ve traditionally failed to solve this problem: firstly, legacy DLP technologies and the security controls native to email clients like Microsoft 365  lack the intelligence required to detect and  prevent human-activated threats for outbound email; and secondly, training cannot fix the problem of human error. Legacy DLP solutions are built using static rules. If an email violates the set criteria, actions can be taken, such as blocking its release or automating encryption. Where security and DLP are user-led, we still run into problems because they rely on people to make decisions.  

You can either take a sledgehammer approach of prompting on everything, which for the vast majority of employees will lead to click fatigue; or you can trust people will always make the right choice when it comes to adding recipients, attaching files and applying security. While training is rightly an integral part of any comprehensive security strategy on its own, it’s not able to dramatically reduce human error – otherwise we’d have trained beyond it and misdirected emails wouldn’t be the top cause of security incidents!

What can you do about it today?

There are two things that can be done today to help you overcome the issue of misdirected emails. The first is an audit of your email system to see how big a problem this is for your organisation specifically. Unfortunately, I expect it’ll be worse than you think. There’s technology that can help with these audits, looking not only form is directed emails with wrong recipients and attachments, but also failure to utilise encryption and other policy violations, and times when TLS should had been protecting data but wasn’t. The next is to upgrade your outbound email security.

Advances in contextual machine learning mean that intelligent DLP can detect and prevent human-activated data breaches in ways that legacy solutions simply can’t achieve. They’re able to deeply understand an  individual user’s behaviour and relationships to validate in real-time that, yes, this specific email and it’s attachments are going to the right recipient(s) with the right level of security applied.