When talking about risks related to email, phishing is the first thing that springs to mind for most people. However, this means organisations can often overlook the very real risk that comes from outbound email. In fact, the ICO's recent quarterly report revealed that misdirected email was the most common cause of reported security incidents in the first six months of 2020 - causing 44 per cent more incidents than phishing.
It should come as no surprise, then, that Egress's recent Outbound Email Security Report found that a staggering 93 per cent of organisations had suffered an outbound email data breach in the last 12 months. And these breaches happen with alarming regularity - on average, an organisation of 250 employees experienced 180 incidents per year - that's one every 12 working hours!
Alongside the increasing adoption of chat-based messaging services such as Teams and video calling software like Zoom, email remains a primary method of communication for all businesses. More significantly, email is still the primary choice for employees when communicating highly sensitive data, particularly as attachments. And email isn't going away any time soon. Since the beginning of the COVID-19 pandemic, 94 per cent of organisations have reported an increase in outbound email volumes - with one in two of these recording a staggering increase of more than 50 per cent.
With email volumes increasing, and remote employees facing more stress and distractions than ever, it's clear to see how easily misdirected emails can occur, particularly as a result of simple mistakes. From Outlook autocomplete suggesting the wrong recipient, to forgetting to use BCC, it only takes a momentary lapse in concentration for sensitive data to be exposed.
The impact on an organisation of a simple misdirected email can be significant. There's the obvious need to report it to the ICO as a breach of GDPR - but the impact of an email data breach can be far more complex than regulations alone. When sensitive client data is exposed (not just PI), organisations risk reputational damage, which occurs in a third of cases. Additionally, in a quarter of cases, the organisation suffered financially through customer churn or fines.
There's also a growing trend around private litigation, which can be particularly damaging when businesses need to make financial settlements with large volumes of affected customers. A recent high-profile example of this is British Airways, who recently had a £183 million ICO fine reduced to £20 million due to the impact of the pandemic on the airline. However, they could still face expensive litigation, after the High Court gave the go-ahead for group legal action from the 500,000 customers affected. Consequently, the final cost to the airline of this particular data breach has the potential to skyrocket.
Then there's human impact to be felt within organisations. The Outbound Email Security Report found that in 45 per cent of serious email data breaches, employees were reprimanded for causing the incident - and in 27 per cent of cases, they were fired. Legal action is also a common outcome, with 28 per cent of incidents ending with the organisation suing the employee responsible. All of this adds not just to the human cost of a breach, but the financial cost too.
Furthermore, fear of repercussions can lead to underreporting amongst employees, leading to a lack of visibility of the true scale of the problem for CISOs and Security teams. Often, employees can see an email data breach as self-limiting - they might feel that the damage done will impact to their own reputation and career prospects, and therefore, when they feel that they can get away with it, they're less likely to report. This is particularly concerning when a quarter of organisations rely on self-reporting to alert them to a breach, and a total of 62 per cent rely on people-based reporting from senders, recipients and colleagues.
It's important to look at what organisations are currently doing, in order to better understand where they need to improve.
Education can go some way in mitigating this risk, but employees can become complacent about the need to always check recipients and attachments - and success is highly dependent on individuals being motivated enough to do this, and not cutting corners in moments of busyness or stress.
So, it's also up to IT leaders to ensure that their organisation has the latest technology in place to provide a safety net for employees. Many organisations still rely on legacy DLP tools with static rules to prevent email data breaches. However, these tools fail to take into account user behaviour and relationships, and therefore can't fully mitigate the problem. Furthermore, users can quickly become bored of receiving prompts every time they try to send an email, and soon develop ‘click fatigue', rendering the tool ineffective.
CISOs therefore need to keep on top of technological advances and ensure that the tools they're implementing can understand and respond to the way that we use email in 2020 and beyond. Advances in contextual machine learning have revolutionised email security. This technology can deeply understand each individual user's behaviour on email, from the relationships they have with people inside and outside their organisation, to the types of data they normally share. When it spots something that looks unusual, this technology prompts the user, avoiding click fatigue while still preventing emails being sent to the wrong people. By implementing contextual machine learning technology, combined with the right level protection, organisations can ensure that they avoid those little mistakes and their big ramifications.