The pervasive threat that cybercriminals pose to the security of critical information has dominated media headlines over the past year. Major data breaches, from Uber’s data theft cover up to the 147.9 million American’s affected by the attack on Equifax, have shifted the focus to the damage cybercriminals can do to an organization. However, whilst cyber-attacks from external forces continue to present an ongoing threat to cyber defenses, the danger from within the organization is just as great.
Following a survey of 600 senior business decision makers and 1,200 employees across the UK, US, Germany, and Australia, we found that that 45% of employees had mistakenly shared emails containing key data with unintended recipients. These included personal information (15%), bank details (9%), attachments (13%) and other confidential content (8%).
The problem is not just limited to unintentionally sharing sensitive data. Our survey also found that employees regularly receive emails intended for someone else. 27% of employees claimed to have received emails containing personal information in error from outside of their company, with 26% also admitting to receiving attachments in error and 12% saying they had wrongly received personal bank details.
With a large majority of the workforce both unintentionally sending and receiving emails in error, there’s a twofold potential for data leaks via inbound and outbound channels. What’s more, GDPR mandates shared responsibility for the security of information, making the sharing and receiving of unauthorized information a real pitfall for any organization’s compliance efforts.
The occasional piece of ‘stray data’ may seem innocuous but the risk it poses to businesses becomes severe when you take into consideration how this information is handled. Upon receiving a misplaced email, 31% of employees said that they would read the email, with 12% even admitting they would scroll through to read the entire email chain. Only a mere 27% said they would delete the email from their inboxes, leaving the location of a large portion of misplaced data uncertain.
Minimizing stray emails
Whether its bank details, company reports or spreadsheets containing marketing data, if this information is sent to, or received by an unintended recipient it can lead to a serious data breach violation and potentially lead to a company falling foul of GDPR. To minimize this threat to your organization you should focus on three key areas: people, process, and technology.
- There is a ‘laissez-faire’ attitude within the workforce when it comes to accidentally sharing or receiving an email in error. To combat this, employees should understand the ramifications of emails going awry, especially in light of the GDPR. This can be achieved through cybersecurity training and should encompass both external threats, as well as those from within. Ultimately, this will instill the values of a ‘good data citizen’ and engender a sense of data consciousness in the workplace, ensuring that employees are not a vulnerability in the organization’s cyber defenses.
- Following our survey, we found less than half (45%) of employees were familiar with the agreed process or course of action to take upon receiving an email from someone in another company where they were not the intended recipient, and 22% admitted there was no formal process in place whatsoever in their organisation for such situations. Having a process in place whereby employees can report incidents is the next step in developing data security within your organization and will ensure employees are aware of responsible disclosure and with whom this responsibility sits upon receiving an email in error. With correct processes in place and a course of action for employees to follow, organizations will begin to have greater visibility and control over potential security incidents.
- Email continues to be the ‘Achilles heel’ in many organizations' data protection and cybersecurity efforts. A layered approach to security is needed to mitigate this threat with technology acting as both the first and last line of defense. In particular, Adaptive Data Loss Prevention solutions can automatically remove sensitive data and malicious content as it passes through a company network, significantly minimizing any data loss from emails shared or received in error. It can also enforce policies around specific pieces of information, ensuring you have maximum control and increased visibility of the critical data in your organization.