Emails are a crucial part of many work lives. We’re used to sending and receiving emails throughout the day, without much thought about the security of such exchanges. There’s a much bigger threat that originates from inside your organisation. When an employee clicks that send button, they could potentially share sensitive information with the wrong recipient. Such mistakes carry high costs. It might compromise client data or confidential information, which causes your organisation huge reputational damage and could hit your bottom-line. Not to mention the impact if the story leaks to the media. That level of reputational damage can take years to recover from.
Misaddressed emails were reported by the Information Commissioner’s Office (ICO) to be the biggest form of data loss last year (and also the first quarter of 2018). Many companies are familiar with hacking as a form of data loss (hence the investment in physical database security, firewalls, and anti-virus) but less so with misaddressed emails.
Unfortunately, all the attributes of email that makes it so popular (that it’s a speedy, clear and common form of communication) are the very factors that make it such a risk. 95% of all security incidents involve human error. Many security systems that are focussed on keeping hackers out, are missing a vital part of defence - making sure sensitive information stays in.
The emails involved in this scenario are all outbound. That is, emails sent to other organisations or people outside of your own company domain. If you think about it, email is a pretty insecure way of sharing information. It can be hacked, end up with the wrong person, or send malware and spam itself.
Worryingly, email still remains a means for many businesses to share confidential information. 89% of U.S. law firms use it as the main way to share information like case files or contracts. That’s despite 70% of them being aware of the risks and the importance of sharing files securely.
It’s the default mode of communication for many companies, and that means we need to find ways of securing it. Firewalls and other security can only go so far. When an email is leaked, it could be your employees who are your weakest link.
It might even be unintentional on the part of an employee. If someone simply misspells a name or doesn’t realise others are copied into an email chain it can result in a data leak. Alternatively, their actions might be malicious and actually intending to cause harm to a company. Either way, the consequences are devastating for a business. Especially post-GDPR.
For the few who are unaware, the EU’s General Data Protection Regulation (GDPR) has strict stipulations on the use and sharing of personal data. Under GDPR, organisations could face a fine of up to €20 million or 4% of global revenue, whichever sum is greater. The fine depends on the severity of the data leak. So a leak of healthcare records or personal finance data is likely to attract a far greater fine than leaking email addresses.
Even if the information shared isn’t customer data or personal information, there could be dire consequences. Imagine sharing client lists or your organisation’s future product plans, business strategy or financial information with the wrong person. It only takes a few clicks before that information ends up in the hands of a competitor.
Data leaks are becoming increasingly common. The media has its eye fixed on any kind of data breach. Any company that leaks information, whether that’s through a hack or misaddressed email, is likely to become front page news. Despite the saying, not all news is good for your company.
Plus, there’s the significant loss of trust that occurs between organisations and consumers if a breach does occur. Especially if that information is highly sensitive, like the names and emails of attendees of a HIV clinic sent in an accidental group email. As you can see with this case, a breach could occur simply when someone doesn’t realise emails are inputted into a cc field and not blind-copied. The clinic was fined £180,000. A sum that would have been far greater had GDPR been enforced at the time.
Then there’s the risks associated with an employee leaving their email account logged-in on a shared computer. They could also fail to lock their screen when leaving their computer. Alternatively, their laptop, phone or tablet could be stolen with their work email account still linked. When securing your emails, there’s definitely some employee education to be done. Make sure you communicate the risks of leaving inboxes on show or failing to lock screens. Employees must also understand how they can prevent misaddressed emails and the consequences of such a leak.
Of course, not all email leaks can be easily identified by organisations. Someone might maliciously forward an email. Others may accidentally send confidential information without realising it. Under GDPR, there’s a requirement for any breach to be reported within 72 hours. Organisations need a way to track outbound emails and flag any misaddressed emails. Luckily, there are tools like Tessian that notify you of any confidential information sent to personal email addresses or outside your organisation. It also prevents misaddressed emails from ever occurring.
Prevention is your best cure. Once a leak has happened, it’s difficult to fully recover. It’s better to use machine learning and other technology to stop a breach occuring. Either through analysing email addresses and flagging potential misaddressed emails, or highlighting when employee behaviour might cause a leak.
The risks of having a data leak are much higher compared to the past. GDPR has raised the stakes for many companies and also raised awareness about personal data security amongst consumers. Organisations need to ensure security is in top shape.
However, most emphasis is placed on ways to keep hacks and database breaches from occurring. Not many business leaders have considered the risk of email leaks. This creates a chink in an otherwise impenetrable armour. You don’t just need to consider the dangers of people getting it, you also have to stop confidential information from getting out. Especially if it’s highly sensitive, which is often the case in the health and legal sectors.