For many organizations, Data Loss Prevention (DLP) is at once one of the most important components of their security framework and the biggest headache for administrators. Why? Because most risks to data security actually come from within an organization, which means security teams have to classify and monitor data across hundreds – even thousands – of different entry and exit points of a corporate network.
This includes user devices like laptops and mobile devices, email clients, servers, and gateways within the network.
While “DLP” applies to more than email, email has become one of the most important vectors to safeguard.
Employees spend 40% of their digital time on email sending memos, spreadsheets, invoices, and other sensitive information and data (structured and unstructured alike). When you combine this with the fact that the underlying technology behind email hasn’t evolved since its inception and its ease-of-access – email accounts today are accessible on laptops, smartphones, tablets, smartwatches and even cars – it’s easy to see why 90% of data breaches start on email.
A major US health insurance provider had to pay out $115 million in a class-action lawsuit after an employee stole the data of over 18,000 members over the course of nine months. How? Via email. The data exfiltrated included the members’ ID numbers, names, social security numbers, and other personal information.
Of course, not all incidents of data loss make headlines. According to Tessian data, over 700 misdirected emails are sent in organizations with 1,000 people every year.
This goes to show that businesses must be vigilant in assessing risk around both data loss and data exfiltration and, in doing so, must implement security measures that decrease their likelihood of suffering a breach.
Unfortunately, that’s easier said than done.
As security leaders know, preventing data loss requires not only advanced security tools but also buy-in from the entire organization. Here are three reasons why data sent through email is hard to regulate:
When you consider the objective of DLP, you realize there are two distinct approaches to take.
While both approaches have their merits, there are some clear shortcomings to a data-centric approach.
There are several different approaches organizations can take in preventing data loss. But, given the fact that security breaches have increased by 67% in the last five years, it’s worth noting the drawbacks of each solution.
Blocking accounts/domains: In this approach, particular domains (particularly free mail domains like @gmail.com or @yahoo.com) are blocked by the company. Why? These emails will undoubtedly be attached to people outside of the organization and, oftentimes, are actually the personal email accounts of employees themselves.
Drawbacks: There are legitimate reasons to send and receive emails from people or organizations outside of your company’s network and with “freemail” domains. Employees might need to communicate with a client or manage freelancers. They may also simply be trying to send documents “home” to work after hours or over the weekend. Unfortunately, it’s not difficult for employees to find workarounds, regardless of their intentions.
Blacklisting email addresses: Security teams can create a list of non-authorized email addresses and simply block all emails sent or received.
Drawbacks: Because blacklisting requires constant updating, it’s very time- and resource-intensive. Beyond that, though, this is a very reactive measure. Email addresses will only be added to a blacklist after they’ve been known to be associated with unauthorized communications, which means data exfiltration attempts may be successful before IT and security teams are able to take steps towards remediation.
Focusing on Keywords: This method uses words and phrases to alert administrators of suspicious email activity. For example, IT and security teams can create rules to identify keywords like “social security numbers” or “bank account details”, which will then signal an email should be quarantined or blocked before sent.
Drawbacks: The person trying to exfiltrate data – like social security numbers or bank account details – can circumvent keyword tracking tools by sending the email and the attached data in an encrypted form.
Tagging Data: After classifying data, an organization may attempt to tag sensitive data, allowing administrators to track it as it moves within and outside of a network.
Drawbacks: Again, this system is time- and resource-intensive and relies on employees accurately identifying and tagging all sensitive data. Data could be misclassified or simply overlooked, allowing it to move freely within and out of a network. Additionally, employees often get fatigued with enforced tagging which could lead to default tagging everything as sensitive.
You can find more information about email tagging in this guide.
The challenge with all of the above is that they are based on rules. But human behavior can’t be predicted or controlled by rules.
That means that the more effective solution is one that’s adaptable and can discern the variations in human behavior over time. A solution like this relies on machine-intelligent software that learns from historical email data to determine what is and isn’t anomalous in real-time.
Tessian uses contextual machine learning to prevent data exfiltration. Our machine learning models look at evolving patterns in data and constantly reclassifies email addresses based on changing relationships between employees and third-parties like vendors and suppliers.
This way, Tessian can determine whether a communication is legitimate information sharing or exfiltration.