22 April 2020
Rick Goud, CEO & co-founder of ZIVVER takes a look at data leaks and how email could be playing a massive part
Research shows that employees spend an average of two and a half hours per day working on emails. Its ease of use and flexibility contribute to its popularity. Email is, however, risky as well, as shown by latest figures from the Information Commissioner’s Office (ICO), which revealed that, of the 81% of data leaks caused accidentally by employees, 43% were due to misaddressed emails. Other mistakes included adding the wrong attachment, or an attachment with unintended sensitive information. Or exposing recipient details by selecting the ‘To’ or ‘Cc’ email fields, when ‘Bcc’ should have been used.
Even though unintentional, such information-sharing errors still need to be addressed, in order to comply with legislation including the EU’s GDPR (which continues to apply to all UK organisations, at least during the Brexit transition period). So what can be done, to combat this type of ‘insider threat’? Human error will likely never be completely eliminated, but, today, there are modern solutions available to help significantly reduce the chance of mistakes by giving employees feedback, on the spot, when working within their favourite tools. When sending emails or file transfers, for example. Such solutions use sophisticated methods to analyse patterns and algorithms, which help detect anomalies.
In a similar vein, the New Year’s Honours List data leak – which was caused by human error - might have been prevented if some form of quality assurance had been used, to check that the content did not inadvertently contain any sensitive information before being published. Unfortunately it does not seem that any such measure was taken and the error was only discovered soon after the content was published, by which time it was too late.
To help IT and network managers minimise the number and impact of human error data leaks by staff, they could start by going through the following checklist, in conjunction with their trusted IT security provider:
• Increase employee awareness of how errors happen and the consequent implications: This has been named as one of the most important measures in GDPR, and similar legislation, and is the key to targeting the source of most data leaks: people inside the organisation!
• Prevent misaddressed emails: The number one cause of data leaks.
• Prevent unintended sharing of sensitive data: This umbrella category accounts for 81% of all UK data leaks.
• Prevent improper use of the ‘Bcc’ field when emailing: The ICO’s most recent data security incident trends report has ‘Failure to use Bcc’ as a separately listed cause, due to its frequent occurrence and potential impact. • Protect data from unauthorised access: The ultimate goal of all legislation related to privacy and protection.
• Apply data retention policies: Also a specific measure that is a key component in legislation such as GDPR.
• Guarantee message encryption: Email encryption is opportunistic, meaning it tries to deliver an email encrypted and - if that is not possible - it will deliver the message unencrypted. Having guaranteed encryption is important for compliance to GDPR and HIPAA, for example.
• Limit the impact of data leaks: GDPR-like legislation requires organisations to have measures in place to safeguard against data leaks, as well as the capacity to mitigate potential damage when they do occur.
• Identify risks: The ability to have insight on how to improve data protection, which is essential for enhancing security standards and compliance.
• Measure the effects of measures: Improving security is about applying measures and assessing their effectiveness, always with an eye on how things could be better.
Organisations can achieve many aspects of the above by increasing their outbound email security efforts and defending against unauthorised access via two-factor authentication. If done in a way that is user-friendly, while also being simple to implement and maintain, organisations can unlock business value in areas including:
• Increased productivity by using email instead of fax, snail mail or USB sticks.
• Cost savings generated by a reduction in the use of snail mail, USB sticks or couriers.
• Reduced need for costly and ineffective customer portals.
• Savings on the labour costs of manually copying information to a source system.
With an expected yearly growth of more than 4%, email is, and will remain for at least the next decade the most important form of communication by organisations. Safeguarding against human error when emailing is, therefore, poised to play a growing role across organisations of all sizes. This will be a result of increased general awareness of the top data breach drivers, while the corresponding fines for violations of data protection legislation become commonplace.
By Rick Goud, CEO & co-founder of ZIVVER