While there are various ways in which someone can exfiltrate data – which we’ve covered in What is Data Exfiltration? Tips for Preventing Data Exfiltration Attacks – email is the biggest risk. In fact, it’s the threat vector IT leaders are most concerned about protecting.
In this article we’ll answer three key questions:
- What is data exfiltration on email?
- Why is it so dangerous?
- How can organizations prevent it from happening?
What is data exfiltration on email?
In order to understand what data exfiltration on email is, we should start with what data exfiltration is more broadly.
Data exfiltration is the act of sensitive data deliberately being moved from inside an organization to outside an organization’s perimeter without permission. This can be done through the digital transfer of data, the theft of documents or servers, or via an automated process.
Data and sensitive information found in spreadsheets, calendars, trading algorithms, planning documents, and customer PII can be moved outside of an organization’s perimeter via email in one of two ways:
- Someone inside the organization (like an employee, exiting employee, contractor, or business partner) emailing data to their own personal accounts or to a third-party.
- External bad actors targeting employees with phishing or spear phishing scams. While these email attacks can be designed for the purpose of initiating a wire transfer, they’re often ploys to extract sensitive information or credentials or to install malware onto a network.
“According to one report, 10% of all insiders and 10% of all external bad actors use email to steal data.
Why is data exfiltration on email so dangerous?
We’ve already mentioned that email is the threat vector IT leaders are most concerned about protecting. But why?
There are two key reasons: it’s easy to access (email accounts today are managed on laptops, smartphones, tablets, and even watches) and the underlying technology behind email hasn’t evolved since its inception in the 1970s. That means there are core security features missing that modern communication platforms have as a standard, including the ability to redact or recall and encryption-by-default.
This makes it one of the go-to mediums for data exfiltration. In fact, according to one report, 10% of all insiders and 10% of all external bad actors use email to steal data. And, if data is successfully exfiltrated, the consequences can be tremendous.
Case in point: A major US health insurance provider agreed to pay $115 million to settle a class-action lawsuit after it was discovered that an employee had stolen data on 18,000 Medicare members, including names, ID numbers, Social Security numbers, health plan IDs, and dates of enrollment.
Interested in learning more about incidents like this? Read 6 Examples of Data Exfiltration on our blog.
How can I prevent data exfiltration on email?
Data exfiltration is a big problem for organizations.
Whether it’s an exiting employee emailing data to their personal accounts on their way out (which 45% of employees admit to doing) or a hacker targeting someone with privileged access to networks and data via a phishing email, security, IT, and compliance leaders must find a way to prevent sensitive information from leaving their organization.
There are several solutions available, but few succeed in preventing data exfiltration attempts on email.
Blocking or blacklisting domains
What it is: Data exfiltration prevention has often been simplified to stopping communication with certain accounts/domains (namely freemail accounts like @gmail).
Why it doesn’t work: This is a blunt approach that impedes on employee productivity. There are many legitimate reasons to communicate with freemail accounts, such as updating private clients, managing freelancers, or emailing friends and family about non-work issues. What’s more, a determined insider could easily circumvent this by setting up an account with its own domain.
Secure Email Gateways (SEGs)
What it is: SEGs are essentially more sophisticated spam filters. They’re used to block malicious inbound email threats like phishing attacks.
Why it doesn’t work: While SEGs may be effective in blocking bulk phishing emails, they can’t stop all spear phishing emails. That means the most targeted attacks can still get through and employees could easily fall victim to an attack and unknowingly exfiltrate data to a bad actor. (Not sure what the difference is between phishing and spear phishing? Read this.)
What it is: Organizations could implement rule-based solutions that take the form of “if-then” statements. These “if-then” statements involve keywords, email addresses, and regular expressions that look for signals of data exfiltration. For example, “If an email contains the word “social security number”, then quarantine the email and alert IT.”
Why it doesn’t work: Rule-based solutions are impossible to maintain because data changes in value and sensitivity over time. Beyond that, you simply can’t define or predict human behavior with rules. That’s why 85% of IT leaders say rule-based DLP is admin-intensive and just 18% say it’s the most effective way to prevent data loss.
What it is: Because it’s people who control our data, training is a logical solution to data exfiltration. In fact, 61% of organizations have training every 6 months or more frequently.
Why it doesn’t work: While training does help educate employees about data exfiltration and what the consequences are, it’s not a long-term solution and won’t stop the few bad eggs from doing it. You also can’t train away human error.
What it is: Machine learning (ML) models trained on historical email data understand the intricacies and fluctuations of human relationships over time. That means ML models can constantly update their “thinking” to determine whether an action looks like exfiltration or not.
Why it does work: This is the “human” way forward. At Tessian, we call it Human Layer Security. Machine-intelligent software recognizes what looks suspicious, much like a trained security professional could. However, unlike humans, it can do this thousands of times per second without missing information or getting tired.
How does Tessian prevent data exfiltration on email?
Tessian uses stateful machine learning to prevent data exfiltration on email by turning an organization’s own data into its best defense against inbound and outbound email security threats. We currently protect customers across industries, including those that are highly regulated like Legal and Financial Services.
Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. Our platform understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity like data exfiltration attempts and targeted phishing attacks.
Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network.