Email is among the most used communication tools in the world. Research suggests that as of 2019, the amount of emails sent and received is almost 300 billion per day. Email has many powerful benefits, but it has given organizations significant security headaches too. No question: over the past few years, fending off email security threats has become a much higher priority for organizations. Today, senior leaders recognize that people pose a real threat to organizations’ security: 30% of enterprise cyber incidents are caused by employees. Although eye-catching and sophisticated scams like spear phishing attacks regularly make headlines, one of the most common threats to email security is email misdirection.
A misdirected email – also known as a misaddressed email – happens when an email is mistakenly sent to the wrong person due to human error. Even with organizations adopting more and more sophisticated security technologies, messaging the wrong email address is an all-too-common occurrence.
One of the most common causes of a misdirected email is a user incorrectly spelling the email address of the correct recipient. An email intended for [email protected] might therefore be sent to [email protected] (As well as work emails, the risks also apply when dealing with clients, external partners or other suppliers.) Accidentally sending an email message to the wrong address might happen due to employees rushing, or switching focus too quickly when multitasking.
Today, the average person spends nearly a third of their working week on email. To save time, it’s not surprising that people often rely on the Autocomplete feature which is available on most email clients, including on Microsoft Outlook, Yahoo or Gmail accounts. With Autocomplete, people often don’t have to manually type email addresses in when sending emails, instead relying on Autocomplete’s speed and convenience to help them complete work quickly.
While Autocomplete can boost productivity, it raises the risk of mistakes being made. Offering a suggested recipient to a sender who has only typed the first initial of the correct person’s Gmail address makes it much easier to accidentally add a wrong recipient with a similar name as the recipient.
The Blind Carbon Copy (Bcc) function allows the person sending an email to hide certain recipients from the main send list. Using Bcc also prevents the concealed recipients from receiving new emails in the same thread. In a work environment, it is often essential to use Bcc when sending a sensitive message to a group of people. Human error can play a part here, though. A common mistake involves the sender accidentally putting certain addresses into the To or Cc fields, rather than Bcc. The impact of this is that all the email’s public recipients become exposed to one another, giving the potential for data loss and compliance breaches. This can be particularly damaging if the content of the email contains personal information regarding sensitive matters like healthcare. Being able to understand which people in your address book need to be handled sensitively is vital. Exposing the real email addresses of individuals can have disastrous consequences for organizations.
People mistakenly using the “Reply All” function instead of just replying to a single recipient can put data at risk of being compromised. “Reply All” errors can cause email account data and personal information to be disclosed to a wider audience than intended. (It can also damage productivity. Last year, an email was accidentally sent to 22,000 employees of Utah state, with subsequent “reply all” messages from staff clogging up employees’ inboxes.)
As we’ve seen, there are a number of circumstances that lead to misdirected emails in the workplace. So what are the consequences of this kind of error?
In enterprise environments, the content of the message (as well as attachments and links) may include highly sensitive information that regulated organizations have an obligation to protect. For example, law firms often send privileged client data related to ongoing legal matters via email. A pharmaceutical company, meanwhile, may have to pay particular attention to highly sensitive personal information such as patient records.
Many countries have introduced or are introducing stricter data protection laws: GDPR in the European Union, California’s Consumer Privacy Act and the Notifiable Data Breaches scheme in Australia are just a few examples of recent legislation that punishes non-compliance more severely. Under GDPR, organizations failing to control human error on email systems could face fines of up to 4% of annual global turnover, or €20m, whichever is greater. For organizations, the margin for error when it comes to misdirected emails is growing slimmer.
The second consequence concerns trust and reputation. Unlike dialing the wrong phone number, which might be slightly embarrassing, sending a misdirected email and experiencing a data breach as a result can significantly undermine the confidence that clients, shareholders and partners have in an organization. Negative coverage in the press and on social media can negatively affect the perception of companies’ brands, and a quick Google search is all that’s needed to see the damage done to organizations’ credibility. Earlier this year, an NHS employee sent an email to executives containing sensitive personal data regarding 24 NHS employees – who were all copied in on the message.
Looking to the future, organizations will have to adopt security solutions that help reduce the risk of human error. Tessian’s Guardian filter allows enterprises to take control over the errors that happen on email. When a technological solution lets system administrators automatically notify the sender in real time that they are in danger of making an error by sending an email to the wrong person, that organization is in a more secure and stable place.
Speak to one of Tessian’s cybersecurity experts today, and learn whether we could help your organization.