Outbound emails have become part of our everyday culture. We still use them as our primary mode of business communication; even with the advent of instant messaging apps like WhatsApp. They are so vital to the operations of our business that in 2017 we sent 269 billion emails every day, and that number is expected to soar to 333 billion by 2022. We are literally awash with emails flowing out of our business and taking data with them.
An email leak can cause business disruption, loss of Intellectual Property, and embarrassment. Emails are a distinct and concerning point of failure in any organization’s security strategy.
Going forward, we need to own our outbound emails and in doing so, own our data.
The UK’s Information Commissioner's Office (ICO) works on researching issues around data protection and privacy. In a recent ICO survey looking at “security incident trends", as well as finding a general upwards trend in reported cybersecurity incidents, they also identified email as a key source of data loss. Specifically, “data sent by email to incorrect recipient” was found to be an issue across all industry sectors. This type of data exposure had the largest number of security incidents in Q1 of 2018 and was consistently in the top two types of incident across 2017.
There are a number of reasons why email remains at the top of the list of exposure points. Below we have listed a few email weaknesses:
- “Oops I used reply all”: Many of you reading this have likely clicked the “reply all” button when you wanted to send a personal message to the sender instead. The email may well contain sensitive information and the thread itself may contain personal data. This act could take your organization outside of regulatory compliance with data protection laws. Using ‘reply all’ inappropriately, can also damage not only your personal reputation but your company reputation too.
- Knocking on the wrong door - Misaddressed emails are all too common as the ICO report demonstrates. Human-error is now a major concern in managing cybersecurity risk. In an IBM report, they found that 95% of security incidents could be traced back to human-error. Preventing people from making mistakes is not an easy task. To do it well, accurately, and consistently, without impacting the human operator and simply annoying them, you have to use smart automation technology. This approach is based on Machine Learning and is the least disruptive way to prevent mishaps like misaddressed emails- it enforces a culture of ‘safe-send’ without the pain.
- Poor email policy: Human-error is augmented by poor or non-existent email security policies. This is nicely exemplified by an email-based data exposure involving a Boeing employee. The employee, unwittingly, sent a spreadsheet to his partner to reformat for him. Unfortunately, the spreadsheet contained the sensitive personal data of 36,000 employees.
- To encrypt or not to encrypt? - Encryption can be part of an email security strategy and policy, but it is not a panacea for data leaks by email; it won’t, for example, prevent data loss by human-error. The use of email encryption depends on having access to the recipient's public key. In other words, it involves a user doing something and users tend to like to ‘click and go’. Any hurdle in performing a task quickly ends up with users finding workarounds or simply not following protocol. So, encryption is great for certain things, but for emails, it can add a barrier to use.
- A lost cause: Most organizations will have an email backup and/or archive system in place. It is often a legal requirement for traceability and audit. However, this can also be a point of failure in your cybersecurity strategy. Email backups are like a goldmine of data for any cybercriminal looking for a quick cyber-buck. If you store your email backups without securing them, you may as well place the data on a public website for all to read. Backup security needs to include encryption and robust access control measures (such as two-factor authentication).
Data breaches cost money, damage reputation, and disrupt operations while the incident is investigated and fixed. If that data is highly sensitive data, all of the aforementioned are amplified. Because every industry uses email, every industry is affected by the above issues; certainly, no one is exempt from human-error, and cybercriminals have our data in their sights.
One area that needs to be considered in your email security policy is compliance with data protection regulations. Most industry sectors, and many countries have either a coverall or set of mosaic laws on the protection of data. In the European Union, this is extended to cover data privacy in detail. The General Data Protection Regulation (GDPR) covers the processing and storage of personal data; this includes personal data within an outbound email context. Due care needs to be assigned to any emails that contain personal data. One glaring gap in the securing of data that is outbound in emails is the misaddressing of an email. If an employee, even inadvertently, sends out personal data in an email to the wrong person, this could be deemed a data breach and may be required to be notified to your company allocated supervisory authority.
Corporate emails are a great way to communicate. Even with the lure of instant messaging, email persists as the preferred choice. This is understandable, as it is a neat way to package up a communication and any associated documents. But this also creates a pipeline of data out of the organization. Emails are an enterprise and personal data exit point that needs to be included in your corporate security strategy. Using the right tools for the job is essential to implementing this strategy as many of the issues caused by errors such as misaddressed emails is down to the human operator and this is a difficult nut to crack. By including smart machine intelligent technologies, you can make sure the right email goes to the right person.
Tessian is building the world’s first Human Layer Security platform to fulfil our mission to keep the world’s most sensitive data and systems private and secure. Using stateful machine learning to analyze historical email data, Tessian’s Parallax Engine can predict for this user, at this point in time, does this email look like a security threat?
Book a demo to learn more about our email security platform.