Risks of Email Communication

  • 26 February 2019

A consumer survey conducted by Adobe in 2018 found that on a typical weekday, their consumers are checking their work email an average 3.1 hours; their personal email, 2.5 hours. This makes email one of the most habitual platforms employees use, which makes changing this user behavior that much more challenging.

Email’s speed and ubiquity also make it one of the single biggest threats to a company, its employees, and its data. Employees of all levels, in all industries, depend on the ability to communicate quickly and easily in order to get their jobs done.

  • Investment bankers share market sensitive information to buy and sell companies.
  • Lawyers share evidence on litigation matters.
  • Hedge fund managers share data on positions or trading strategies.

Over the past 20 years, email has grown to become the main artery of communication for the enterprise. According to research conducted by McKinsey in 2012, reading and answering email accounts for 28% of the average employee workday this makes email one of the most habitual tasks employees conduct.

“Email has been a great enabler for organizations, but I think any form of electronic communication introduces the risk of data leakage.”
Rob Hyde Chief Information Security Officer at Schroders

Human error is incredibly difficult to understand, let alone predict. Changes in people’s stress levels, morale, engagement and attention can lead to misdirected emails.

While a growing number of enterprise processes are now being automated, email communication is currently still reliant on human interaction and judgement – all of which makes it particularly vulnerable to human error. No matter how structured or ingrained a process or behavior is, mistakes are inescapable, and inevitable.

The risk of data leakage is heightened by many of the factors that make email so useful. The same email address will send personal and professional messages, often in succession. It is platform agnostic – you can send an email to any other email address regardless of its platform making it very difficult to develop a complete security solution for a channel with so many front-end standards and configurations.

As email becomes easier to use the associated risks also increase. Paul Regan, Head of Cybersecurity at Winterflood Securities noted that misdirected emails are where his firm has seen the biggest risk in the last couple of years.

“We are turning off autocomplete, we have an awareness campaign, we’ve got the ICO posters around to remind people to be careful who they send things to. Nothing should leave the building unless it’s encrypted and we’re looking for other products and solutions that will help us with this.”
Paul Reagan Head of Information Security, Winterflood Securities

Email used to be much more manual, but functions such as those Regan refers to have upped the risk, and even with an emphasis on data privacy training, the risks have grown.

Hyde pointed to another worrying trend: “The way email used to be used was very manual. As time has gone on, it’s become much easier to use. It’s available on more devices, better at predicting what you’re going to do – but with that ease of use comes risk.

“We trust the technology hugely, so that when something goes wrong it happens so quickly that it’s impossible to do anything about it – that’s the reality of email.”

misdirected email, such a seemingly small mistake, could heavily damage your relationships with clients and your level of public trust.

“Another aspect of misdirected emails is the potential damage to a firm’s reputation.”
Steve Sumner IT Director, Taylor Vinters

“Imagine, your most important client receives an email with financial or sensitive information going to somebody else. You have a good chance of losing that client and certainly your standing will be hit.”

“It’s too late to go back now”, noted Regan. “I feel that email is an inherently weak medium, and it’s not going to change.

“Deploying Tessian for us is recognition that our employees are trying to do the right thing.

“This is not about having some central security department, overseeing everybody and trying to catch someone doing bad things. It’s a safety net that catches things that otherwise would be a problem,” said Hyde.