Email sent to the wrong person is an easy mistake to make, especially when people are busy or distracted. That helpful list of names that email clients provide when you start typing in the To or CC tabs makes it easy to click on the wrong one. It is so easy that it was the biggest cause of personal data breaches reported to the UK Information Commissioners Office (ICO) in Q4 2019-20.
A closer look at the data reveals that misdirected email (337) was a more significant issue than phishing (280) and ransomware (60). The biggest offenders, by industry sector, were Legal (57), Education (49) and Finance (45).
All three hold very sensitive data on individuals and have been severely disrupted by the current pandemic. The figures for Q1 2020-21 will likely show an upturn in the number of breaches as employees moved to work from home.
Email errors are under-reported
UK security vendor Egress, says that problems with email are significantly under-reported. It commissioned CitizenMe to conduct a poll to learn more about these email errors. The survey looked at 300 email users in the UK and 300 in the US.
Its results are far worse than the ICO numbers. Almost two-thirds (64.5%) of respondents admitted to sending emails to the wrong recipients. Those emails contained information such as court documents and company sensitive data.
68% of UK and 61% of US respondents admitted to sending work emails to the wrong recipient. Were these all reported? According to Egress, no. It says: “Anecdotal comments from those who admitted to doing this also showed that they hadn’t reported the incident to their line managers.”
It has published some of those anecdotal responses:
Mistake: I once sent confidential figures to a colleague in my team rather than the CEO as they both had the same first name. Outlook gave me her name as a suggestion rather than the CEO.
Did you report it: No, my colleague saw my mistake and quietly told me.
Mistake: I sent a document for a bankruptcy to the wrong client because I mixed up two small businesses. Both were chapter 7 bankruptcies filed around the same time and they both began with the letter A. I accidentally sent a document that came in from court to the wrong client because I confused the two, as previously mentioned.
Did you report it: No I did not. We are small business and I apologised to the client it was sent to and advised to disregard. Then I sent the document to the correct person.
Work from home increasing the risk of a breach
The current work environment has seen millions of employees working from home. Emails and collaboration services have become increasingly important to keep businesses running. Importantly, many of those users are not using company issued or managed assets. That means organisations often lack insight into what is happening on the local machine.
Egress says it has seen: “A 23% increase in email usage due to the pandemic.” The question is, will that 23% lead to an equivalent or larger number of misdirected emails? Will the worry of repercussions, increase pressure on users to not report a breach? Given the level of under-reporting that Egress is currently seeing, the latter is highly likely.
Can it be fixed?
Yes. Better user education and a no-blame environment for genuine mistakes are good starting points. But there is another opportunity that Egress believes organisations should be taking advantage of.
Working from home is likely to continue, even after the current pandemic subsides. Many organisations are looking at whether they really need so many employees in a large office. Egress says that this creates: “An opportunity for organisations to redirect spending away from buildings to other purposes.
“With remote working seemingly here to stay and email remaining the most common business communication tool, intelligent email security that prevents breaches and protected data must become a central part of organisations’ digital transformation stories.”
Enterprise Times: What does this mean
The risk of sending or cc’ing an email to the wrong person is very real. Egress is warning that this is often brushed under the carpet. It is something that businesses need to address, not ignore. It is calling for better tools and education to help users avoid making this mistake.