It’s no secret that threats to email security are on the rise. According to a recent survey, 92% of organisations were victims of successful phishing attacks in 2022, while 91% of the respondents admitted to experiencing email data loss. By not implementing sufficient email security strategies, companies open themselves, their clients, and their customers to cyber security incidents such as phishing, data breaches, and business email compromises (BEC). It’s not just external cyber threats that businesses need to be mindful of, there is the human element to heavily consider.
With so many email-related incidents and data loss, the question arises of how businesses can do more to prevent these events. Oliver Paterson, Director Product Management, VIPRE Security Group, explores more…
The wrong email recipient
With an increase in hybrid employees, the traditional single office-based computer setup is now becoming less popular within businesses. The pressure on employees to work harder, better, and faster makes it easy to understand why they don’t always verify the validity of the email address they are sending information to, especially now that smarter technology like autofill in Outlook is advancing rapidly. But, while it might just seem like an innocent mistake, it could have far reaching consequences.
For example, that was the case with a university in the UK, where the personal medical details of a student were wrongly sent to the whole campus. Or when Australia’s Registered Organisations Commission (ROC) accidentally leaked confidential information, including a whistleblower’s identity. An employee entered an incorrect character when emailing someone with the same last name but a different first initial.
It only takes one incorrect character or autocorrect taking over for sensitive information to land in the wrong inbox. And, what if that recipient is a competitor or intercepted by a cyber criminal?
Sending email attachments to the wrong contact
Another common user error is sending the wrong attachment to the wrong person. This could put company data at risk. The release of confidential corporate information, such as unpatented new product information, to the wrong person or into the public domain can result in a major advantage for the competition or can even harm the reputation of the company beyond repair.
In addition, organisations now face severe consequences for violating data protection regulations, including GDPR and other industry-specific regulations. By investing in a data loss awareness tool that increases email security, businesses can take advantage of features such as prompting employees to confirm all internal and external recipients, and flagging attachments that contain confidential information to ensure your intended distribution list is correct.
For example, Surrey County Council was served with a penalty of £120,000 after three data breaches that involved misdirected emails. This included a staff member sending an email with the personal data of 241 individuals to the wrong email address. The information was not encrypted so was instantly accessible to the recipient and a direct breach of data protection regulations.
To BCC or not to BCC?
Adding in email recipients is a task that may seem simple, but if not done correctly, can have devastating repercussions for businesses. The misuse of CC and BCC functions could expose your entire contact database, exposing customer emails to potential hackers or competitors.
In March 2023, NHS Highland was reprimanded for a data breach which revealed the personal email addresses of people invited to use HIV services. Such a mistake is a common error when sending emails and that often go undetected or unreported in many cases. However, it is considered a data breach because none of the involved parties have consented to share their contact details with others.
Considering technology, companies should look to implement solutions that warn and educate people to use the CC and BCC fields properly. However, this problem is for more than just BCC and CC misuse; and companies should consider the issues of sending information as much broader.
The use of autocomplete, reply all, errors adding attachments, and lack of user awareness about the information contained in the body and attachments are all significant security risks that businesses with sensitive information need to be aware of.
Data breach – accident or intent?
More than 300 billion emails are sent each day, so it’s no surprise that misaddressed emails are the largest source of data loss for organisations. Hackers can take advantage of complacency within email culture with a number of techniques. For example, disguising emails to appear as though they are an internal email, whereas they actually come from a spoofed domain that looks almost identical to the real thing. In an organisation that sends so many emails every day and work so quickly, employees may not notice this and fall victim to a malware or ransomware attack, exposing the network and sensitive information.
On the other end of the scale are data breaches conducted with malicious intent. For example, the Morrisons insider threat breach was carried out by a disgruntled former employee who stole and published payroll data of nearly 100,000 staff members online. His aim was to disparage the reputation of his former employer after a disciplinary matter. The breach reportedly cost the company £2 million to rectify.
With emails accounting for such a big part of the way we communicate professionally, particularly when working remotely, it’s important to be aware of and educated about the common email mistakes that often occur. Businesses can support their employees and reduce the risk of a data breach by implementing intuitive technology that detects and highlights errors, pointing out potential errors and threats.
Investing in technology that warns users about poor email security techniques by providing a simple safety check and prompting them to recheck a message twice before sending all without impacting employee productivity allows organisations to quickly reduce errors. These solutions can prevent organisations from revealing the wrong information to the wrong person by allowing a quick double check of the receipts of emails and attachments before sending them.
While foresight is essential, so is the ability to prepare a smart defence. Businesses can implement best practices to protect themselves from email threats and prevent becoming the next easy target. These best practices include:
- Implementing a layered email security strategy
- Training employees for better security awareness
- Deploying email-specific security controls
The email safeguards businesses can implement today will have a broader and more lasting impact as the organisation grows. When implementing these best practices, it’s essential to partner with the right email security vendor to ensure the company’s email security solutions are tailored to the company’s size and scale with the business’ growth.