Everyone makes mistakes at work. It could be double-booking a meeting, attaching the wrong document to an email, or misinterpreting directions from your boss. While these snafus may cause red-faced embarrassment, they generally won’t have any long-term consequences.

But, what about mistakes that compromise cybersecurity? This happens more often than you might think. In fact, nearly half of employees say they’ve done it, and employees under 40 are among the most likely.

[infogram id=”mistakes-20-module-1-1h7j4d8p0ng96nr?live”]

In this article, we’ll focus on email mistakes. You’ll learn:

• The top five email mistakes that compromise cybersecurity
• How frequently these incidents happen
• What to do if you make a mistake on email

I sent an email to the wrong person

At Tessian, we call this a misdirected email. If you’ve sent one, you’re not alone. 58% of people say they’ve done it and, according to Tessian platform data, at least 800 are fired off every year in organizations with over 1,000 people.

It’s also the number one security incident reported to the Information Commissioner’s Office (ICO) under the GDPR. (More on the consequences related to data privacy below.)

Why does it happen so often? Well, because it’s incredibly easy to do. It could be a simple typo (for example, sending an email to jon.doe@gmail.com instead of jan.doe@gmail.com) or it could be an incorrect suggestion from autocomplete. 

What are the consequences of sending a misdirected email?

While we’ve written about the consequences of sending an email to the wrong person in this article, here’s a high-level overview: 

1. Embarrassment 
2. Fines under compliance standards like GDPR and CCPA
3. Lost customer trust and increased churn
4. Job loss
5. Revenue loss
6. Damaged reputation

Real-world example of a misdirected email

In 2019, the names of 47 claimants who were the victims of sexual abuse were leaked in an email from the program administrator after her email client auto-populated the wrong email address. 

While the program administrator is maintaining that this doesn’t qualify as a data leak or breach, the recipient of the email – who worked in healthcare and understands data privacy requirements under HIPAA – continues to insist that the 47 individuals must be notified. 

As of September 2020, they still haven’t been.

I attached the wrong file to an email

Employees can do more than just send an email to the wrong person. They can also send the wrong file(s) to the right person. We call this a misattached file and, like fat fingering an email, it’s easy to do.

Two files could have similar names, you may not attach the latest version of a document, or you might click on the wrong file entirely. 

What are the consequences of sending a misattached file?

As you may have guessed, the consequences are the same as the consequences of sending a misdirected email.

Of course, the consequences depend entirely on what information was contained in the attachment. If it’s a presentation containing financial projections for the wrong client or a spreadsheet containing the PII of customers, you have a problem. 

Real-world example of sending the wrong attachment

A customer relations advisor at Caesars Entertainment UK – a part of Caesars Entertainment – was sending emails to the casino’s VIPs. In the emails, the employee was meant to attach a customized invitation to an event.

But, in one email, the employee accidentally attached the wrong document, which was a spreadsheet containing personal information related to some of their top 100 customers.  

Luckily, they also spelled the email address incorrectly, so it was never actually sent. 

Charles Rayer, Group IT Director, details the incident – and explains why this prompted him to invest in Tessian Guardian – in a Q&A. 

You can watch the interview here.

I accidentally hit “reply all” or cc’ed someone instead of bcc’ing them

Like sending a misdirected email, accidentally hitting “reply all” or cc instead of bcc are both easy mistakes to make. 

What are the consequences of hitting “reply all” or cc instead of bcc?

As you may have guessed, the consequences are the same as the consequences of sending a misdirected email. And, importantly, the consequences depend entirely on what information was contained in, or attached to, the email.

For example, if you drafted a snarky response to a company-wide email and intended to send it to a single co-worker but ended up firing it off everyone, you’ll be embarrassed and may worry about your professional credibility. 

But, if you replace that snarky response with a spreadsheet containing medical information about employees, you’ll have to report the data loss incident which could have long-term consequences.

Real-world example of hitting “reply all”

In 2018, an employee at the Utah Department of Corrections accidentally sent out a calendar invite for her division’s annual potluck. Harmless, right? Wrong.

Instead of sending the invite to 80 people, it went to 22,000; nearly every employee in Utah government. While there were no long-term consequences (i.e., it wasn’t considered a data loss incident or breach) it does go to show how easily data can travel and land in the wrong hands. 

Real-world example of cc’ing someone instead of bcc’ing them

On January 21, 2020, 450 customer email addresses were inadvertently exposed after they were copied, rather than blind copied, into an email. The email was sent by an employee at speaker-maker Sonos and, while it was an accident, under GDPR, the mistake is considered a potential breach. 

I fell for a phishing scam

According to Tessian research, 1 in 4 employees has clicked on a phishing email. But, the odds aren’t exactly in our favor. In 2019, 22% of breaches in 2019 involved phishing…and 96% of phishing attacks start on email. (You can find more Phishing Statistics here.)

Like sending an email to the wrong person, it’s easy to do, especially when we’re distracted, stressed, or tired. But, it doesn’t just come down to psychology. Phishing scams are getting harder and harder to detect as hackers use increasingly sophisticated techniques to dupe us. 

[infogram id=”mistakes-20-module-5-1h7z2lrgwmyx2ow?live”]

What are the consequences of falling for a phishing scam?

Given the top five “types” of data that are compromised in phishing attacks (see below), the consequences of a phishing attack are virtually limitless. Identify theft. Revenue loss. Customer churn. A wiped hardrive.

But, the top five “types” of data that are compromised in a phishing attack are:

1. Credentials (passwords, usernames, pin numbers)
2. Personal data (name, address, email address)
3. Internal data (sales projections, product roadmaps) 
4. Medical (treatment information, insurance claims)
5. Bank (account numbers, credit card information)

Real-world example of a successful phishing attack

In August 2020, The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on.

While no passwords or financial information were compromised and all the affected individuals have been notified, the breach goes to show that anyone – even cybersecurity experts – can fall for phishing scams.

But, most phishing attacks have serious consequences. According to one report, 60% of organizations lose data. 50% have credentials or accounts compromised. Another 50% are infected with ransomware. 35% experience financial losses.

I sent an unauthorized email

As a part of a larger cybersecurity strategy, most organizations will have policies in place that outline what data can be moved outside the network and how it can be moved outside the network.

Generally speaking, sending data to personal email accounts or third-parties is a big no-no. At Tessian, we call these emails “unauthorized” and they’re sent 38x more than IT leaders estimate.

Tessian platform data shows that nearly 28,000 unauthorized emails are sent in organizations with 1,000 employees every year. 

So, why do people send them? It could be well-intentioned. For example, sending a spreadsheet to your personal email address to work over the weekend. Or, it could be malicious. For example, sending trade secrets to a third-party in exchange for a job opportunity. 

What are the consequences of sending an unauthorized email

Whether well-intentioned or malicious, the consequences are the same: if the email contains data, it could be considered a data loss incident or even a breach. In that case, the consequences include:

• Lost data
• Lost intellectual property
• Revenue loss
• Losing customers and/or their trust
• Regulatory fines
• Damaged reputation

No sensitive data involved? The consequences will depend on the organization and existing policies. But, you should (at the very least) expect a warning. 

Real-world example of an unauthorized email

In 2017, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees was exposed, including employee ID data, places of birth, and accounting department codes.

You can find more real-word examples of “Insider Threats” in this article: Insider Threats: Types And Real-World Examples

How can I avoid making mistakes on email?

The easiest answer is: be vigilant. Double-check who you’re sending emails to and what you’re sending. Make sure you understand your company’s policies when it comes to data. Be cautious when responding to requests for information or money. 

But vigilance alone isn’t enough. To err is human and, as we said at the beginning of this article, everyone makes mistakes. 

That’s why to prevent email mistakes, data loss, and successful targeted attacks, organizations need to implement email security solutions that prevent human error. That’s exactly what Tessian does.

Powered by machine learning, our Human Layer Security technology understands human behavior and relationships.

• Tessian Guardian automatically detects and prevents misdirected emails
• Tessian Enforcer automatically detects and prevents data exfiltration attempts
• Tessian Defender automatically detects and prevents spear phishing attacks

Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. That means it gets smarter over time to keep you protected, always. 

Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.