Outbound email data breaches happen every 12 working hours - isn't it time we stopped that?

clock • 5 min read

Advances in machine learning have changed email security - which is more important than ever this year

When talking about risks related to email, phishing is the first thing that springs to mind for most people. However, this means organisations can often overlook the very real risk that comes from outbound email. In fact, the ICO's recent quarterly report revealed that misdirected email was the most common cause of reported security incidents in the first six months of 2020 - causing 44 per cent more incidents than phishing.

It should come as no surprise, then, that Egress's recent Outbound Email Security Report found that a staggering 93 per cent of organisations had suffered an outbound email data breach in the last 12 months. And these breaches happen with alarming regularity - on average, an organisation of 250 employees experienced 180 incidents per year - that's one every 12 working hours!

Alongside the increasing adoption of chat-based messaging services such as Teams and video calling software like Zoom, email remains a primary method of communication for all businesses. More significantly, email is still the primary choice for employees when communicating highly sensitive data, particularly as attachments. And email isn't going away any time soon. Since the beginning of the COVID-19 pandemic, 94 per cent of organisations have reported an increase in outbound email volumes - with one in two of these recording a staggering increase of more than 50 per cent.

With email volumes increasing, and remote employees facing more stress and distractions than ever, it's clear to see how easily misdirected emails can occur, particularly as a result of simple mistakes. From Outlook autocomplete suggesting the wrong recipient, to forgetting to use BCC, it only takes a momentary lapse in concentration for sensitive data to be exposed.

The impact on an organisation of a simple misdirected email can be significant. There's the obvious need to report it to the ICO as a breach of GDPR - but the impact of an email data breach can be far more complex than regulations alone. When sensitive client data is exposed (not just PI), organisations risk reputational damage, which occurs in a third of cases. Additionally, in a quarter of cases, the organisation suffered financially through customer churn or fines.

There's also a growing trend around private litigation, which can be particularly damaging when businesses need to make financial settlements with large volumes of affected customers. A recent high-profile example of this is British Airways, who recently had a £183 million ICO fine reduced to £20 million due to the impact of the pandemic on the airline. However, they could still face expensive litigation, after the High Court gave the go-ahead for group legal action from the 500,000 customers affected. Consequently, the final cost to the airline of this particular data breach has the potential to skyrocket.

Then there's human impact to be felt within organisations. The Outbound Email Security Report found that in 45 per cent of serious email data breaches, employees were reprimanded for causing the incident - and in 27 per cent of cases, they were fired. Legal action is also a common outcome, with 28 per cent of incidents ending with the organisation suing the employee responsible. All of this adds not just to the human cost of a breach, but the financial cost too.

Furthermore, fear of repercussions can lead to underreporting amongst employees, leading to a lack of visibility of the true scale of the problem for CISOs and Security teams. Often, employees can see an email data breach as self-limiting - they might feel that the damage done will impact  to their own reputation and career prospects, and therefore, when they feel that they can get away with it, they're less likely to report. This is particularly concerning when a quarter of organisations rely on self-reporting to alert them to a breach, and a total of 62 per cent rely on people-based reporting from senders, recipients and colleagues.

It's important to look at what organisations are currently doing, in order to better understand where they need to improve.

Education can go some way in mitigating this risk, but employees can become complacent about the need to always check recipients and attachments - and success is highly dependent on individuals being motivated enough to do this, and not cutting corners in moments of busyness or stress.

So, it's also up to IT leaders to ensure that their organisation has the latest technology in place to provide a safety net for employees. Many organisations still rely on legacy DLP tools with static rules to prevent email data breaches. However, these tools fail to take into account user behaviour and relationships, and therefore can't fully mitigate the problem. Furthermore, users can quickly become bored of receiving prompts every time they try to send an email, and soon develop ‘click fatigue', rendering the tool ineffective.

CISOs therefore need to keep on top of technological advances and ensure that the tools they're implementing can understand and respond to the way that we use email in 2020 and beyond. Advances in contextual machine learning have revolutionised email security. This technology can deeply understand each individual user's behaviour on email, from the relationships they have with people inside and outside their organisation, to the types of data they normally share. When it spots something that looks unusual, this technology prompts the user, avoiding click fatigue while still preventing emails being sent to the wrong people. By implementing contextual machine learning technology, combined with the right level protection, organisations can ensure that they avoid those little mistakes and their big ramifications.

You may also like
HPE says Russian state actor breached email systems

Hacking

Midnight Blizzard suspected as the attackers

clock 26 January 2024 • 2 min read
Microsoft warns of Russian hackers targeting vulnerable Outlook email accounts

Threats and Risks

Uses a vulnerability that was patched in March

clock 05 December 2023 • 2 min read
New credential stealing campaign targets Zimbra email accounts

Threats and Risks

A phishing email notifies users about an upcoming email server update that could lead to temporary account deactivation

clock 21 August 2023 • 2 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Asian Tech Roundup: Failure at Fujitsu

Asian Tech Roundup: Failure at Fujitsu

Plus, China cracks knuckles

Tom Allen
clock 22 March 2024 • 2 min read
Epic Games hacker isn't a hacker, at all

Epic Games hacker isn't a hacker, at all

Describe themselves as 'criminal geniuses'

Tom Allen
clock 05 March 2024 • 2 min read
IT Essentials: LockBit and load

IT Essentials: LockBit and load

They fought the law, and the law won - for now

Tom Allen
clock 26 February 2024 • 2 min read