It’s no secret that threats to email security are on the rise globally. According to a recent survey, 92% of organisations were victims of successful phishing attacks in 2022, while 91% of the respondents admitted to experiencing email data loss. When companies fail to implement sufficient email security strategies, they expose themselves, their clients, and their customers to cyber security incidents such as phishing, data breaches, and business email compromises (BEC). It’s not just external cyber threats that businesses need to be mindful of, there is the human element to heavily consider.
With so many email-related incidents happening resulting in data loss, the question poses of how businesses can do more to prevent these events. Oliver Paterson, Director Product Management, VIPRE Security Group, explores more..
Emailing the wrong person
Thanks to the pandemic, there is an increase in hybrid employees and the traditional single office-based computer setup is now becoming less popular within businesses. As employees are under pressure to work harder, better, and faster, it is easy to understand why they do not always verify the validity of the email address they are sending information to, especially in an age when smarter technology like autofill in Outlook is advancing rapidly. But, while it might just seem like an innocent mistake, it could have huge consequences.
For example, that was the case with a university in the UK, where the personal medical details of a student were wrongly sent to the whole campus. Or when Australia’s Registered Organisations Commission (ROC) accidentally leaked confidential information, including a whistleblower’s identity. An employee entered an incorrect character when emailing someone with the same last name but a different first initial.
It only takes one incorrect character or autocorrect taking over for sensitive information to land in the wrong inbox. And, what if that recipient is a competitor or intercepted by a cyber criminal?
The risk of email attachments
Another common user error is sending the wrong attachment to the wrong person. This could put company data at risk. If confidential corporate information is released to the wrong person or into the public domain, it can result in a major advantage for the competition or even cause irreparable damage to the company’s reputation.
In addition, organisations now face severe consequences for violating data protection regulations, including GDPR and other industry-specific regulations. Data loss awareness tools that improve email security can help businesses ensure that their intended distribution list is correct by prompting employees to confirm all internal and external recipients, and flagging attachments that contain confidential information.
For example, Surrey County Council was served with a penalty of £120,000 after three data breaches that involved misdirected emails. This included a staff member sending an email with the personal data of 241 individuals to the wrong email address. The information was not encrypted so was instantly accessible to the recipient and a direct breach of data protection regulations.
BCC or not
Adding in email recipients is a task that may seem simple, but if not done correctly, can have devastating repercussions for businesses. The misuse of CC and BCC functions could expose your entire contact database, exposing customer emails to potential hackers or competitors.
In March 2023, NHS Highland was reprimanded for a data breach which revealed the personal email addresses of people invited to use HIV services. Such a mistake is a common error when sending emails and that often go undetected or unreported in many cases. However, it is considered a data breach because none of the involved parties have consented to share their contact details with others.
Considering technology, companies should look to implement solutions that warn and educate people to use the CC and BCC fields properly. However, this problem is for more than just BCC and CC misuse; and companies should consider the issues of sending information as much broader.
It is imperative for businesses with sensitive information to be aware of the security risks posed by autocomplete, reply all, and mistakes when adding attachments.
Data breach – accident or intent?
More than 300 billion emails are sent each day, so it’s no surprise that misaddressed emails are the largest source of data loss for organisations. Hackers can take advantage of complacency within email culture with a number of techniques. For example, sending emails that appear to be internal, but are actually messages from a spoofed domain that looks almost identical to the real one. Due to the large amount of emails sent every day and the speed at which they are sent, employees may not notice this and fall victim to a malware or ransomware attack, exposing sensitive information and the network.
On the other end of the scale are data breaches conducted with malicious intent. For example, the Morrisons insider threat breach was carried out by a disgruntled former employee who stole and published payroll data of nearly 100,000 staff members online. His aim was to disparage the reputation of his former employer after a disciplinary matter. The breach reportedly cost the company £2 million to rectify.
Since emails make up a large part of our professional communication, especially when working remotely, it’s important to be aware of and educated about the common email errors that occur. Businesses can support their employees and reduce the risk of a data breach by implementing intuitive technology that detects and highlights errors, pointing out potential errors and threats.
Organisations can quickly reduce errors by implementing technology that warns users about poor email security techniques and prompts them to recheck a message twice before sending it all without affecting employee productivity. These solutions can prevent organisations from revealing the wrong information to the wrong person by allowing a quick double check of the receipts of emails and attachments before sending them.
While foresight is essential, so is the ability to prepare a smart defence. Businesses can implement best practices to protect themselves from email threats and prevent becoming the next easy target. These best practices include:
- Implementing a layered email security strategy
- Training employees for better security awareness
- Deploying email-specific security controls
The email safeguards businesses can implement today will have a broader and more lasting impact as the organisation grows. When implementing these best practices, it’s essential to partner with the right email security vendor to ensure the company’s email security solutions are tailored to the company’s size and scale with the business’ growth.