We’ve probably all done it, sent an email to the wrong person. It might have been by mistake, due to not checking before hitting send, or on purpose. Data privacy and risk management company Egress Software Technologies asked a bunch of people about email. The results, data from which were shared with ET, are interesting.
According to Tony Pepper, CEO and co-founder, Egress: “Most of us can relate to the sudden panicked realisation of sending someone the wrong email. While these email fails can be perfectly innocuous, they can also cause serious problems to the sender and their company if they contain sensitive details or attachments. At the end of the day, we’re only human and we’re going to make mistakes, but we have to have some way of mitigating this if it’s going to cause a data breach.”
Pepper continued: “While offending an accidental recipient may cause red faces, leaking confidential information can amount to a data breach. As we move towards the EU General Data Protection Regulation, it has never been more important to get a grip on any possible risk points within the organisation and, as this research shows, email needs serious attention.”
How many people talked about their email mishaps?
Egress were looking at two issues. The first was the accidental sending of email caused by user error or laziness. The second was deliberate acts which should be covered by employee contracts. The fact that users talked at all about the second category shows employers need to do more to deal with the issue.
The data shows that 2,000 people responded to the survey conducted by Radio PR. All of them use email for work. Whether this was on company owned devices only or a mix of company and personal was not disclosed. Respondents were also not asked about company policy for setting up email on their private devices.
Oops, I didn’t mean to do that
35% admitted to accidentally sending an email to an unintended recipient at work. Most (68.5%)admitted this happened because they were rushing while 27% blamed It on answering multiple email at once. Multi-tasking while sending email is not your friend it appears. On top of this 28% blamed errors on being tired. All of these suggest that employees are under such pressure to deal with email that they don’t take the time to think before pressing send.
Email likes to collate your contact data. It does this to make it faster for you to send emails and means you don’t have to worry about mistyping email addresses. As you start typing in a contacts details it autocompletes the TO, CC and BCC fields. 43% of respondents blame this feature for helping them send email to the wrong person. Compounding the problem is a failure to check details, not thinking about who to send it too and getting confused with who should get which email when multitasking.
As mobile phone users will know, mobile devices love to be helpful. Surprisingly only 3% blame their mistakes on their mobile phone. This might be due to low numbers sending email from their mobile phones. It could also be caused by people paying more attention. Whichever it is, the survey doesn’t tell us.
As with drunk texting, it appears doing work email when drunk or having a hangover is also a thing. No surprise there given the number of people who send emails late at night from conferences. Men, it seems, are the most likely to drunk email work colleagues. Interesting over 16% blamed being distracted by a colleague at the time for their mistake. Offices are clearly not as dull as some surveys would have us think.
Perhaps the most amusing excuse, used by 7% of people was: “nothing unusual was going on, I’m just scatty.”
What did they send?
While a small number preferred not to say, the majority opted out of the choices given. That said, top of the list was 10% sending an insult about the recipient. Next up came an inappropriate joke with offensive language close behind. It’s likely that these two also combined in a number of cases. No examples were given for a risque message but inappropriate pictures probably align with being drunk.
Never confuse an accident with a malicious act
A more worrying trend exists outside of the sloppy or inept. The deliberate sending of data outside of the business. 16% openly admitted to sending or taking confidential to an unauthorised third-party and even competitors. Setting aside the breach of confidentiality, legal implications and bad judgement, this is a larger percentage than most organisations would think about.
Interestingly, this group also includes whistleblowers. It is a surprise that Egress didn’t seek to separate these out from the other results more clearly. 4% sent data to a governing body or legal entity. Just over 1% sent data to the press.
Oddly, respondents separated out taking confidential information to a new job and sending it to a competitor. Perhaps one was in the hope of getting a job. A small number even emailed data to a previous employer. Posting data to the Internet was less than 1%. People like to talk about what they do at work and sometimes post to the Internet. However, this can have serious implications as Rachel Burns discovered.
What does this mean?
Email has always been the weak link in data security. Back in the 2000’s Microsoft cracked down on contacts between press and its staff. Part of the problem was Word documents being accidentally or deliberately forwarded. It was suggested that its Rights Management addition to MS Office was one way to control data leakage. Unfortunately it was all undone when email continued to leak from people high enough up in the company to avoid being made to use RMS.
Egress suggests that the solution is simply to put in better controls and software. History, however, tells us differently. Sales people have always stolen customer and contact lists when they changed job. In some industries it is expected practice. Senior officers of companies are rarely castigated for email mistakes.
What IT departments need to get a grip of is that this level of leakage, accidental or deliberate, can have serious implications. GDPR will just ratchet up the penalties when it comes into force next year. Meanwhile it also undermines IT security. While they are looking for the external attack, the people who work inside the business are just as dangerous.