Email continues to be the main communication channel for organisations and, at the same time, a major threat to the business. That is one of the key takeaways from the Egress Data Loss Prevention Report 2021. 83% of organisations experienced an email data breach in 2020. Yet despite this, companies are not doing enough to prevent breaches, especially accidental ones.
Egress CEO Tony Pepper comments: “It’s clear to see that legacy DLP tools are no longer fit for purpose; they’re difficult to use, and because they can’t take people’s behaviour into consideration, they’re limited in their ability to mitigate the rising tide of email data breaches in this new world of remote working.
“Many employees continue to work in challenging environments, and the lines between work and home life have been well and truly blurred. All of this contributes to the likelihood that a costly mistake might be made. Organisations must be aware of the new environment of risk that has been created by the working conditions brought about by the pandemic, and utilise advances in machine learning to give employees a safety net that can detect when they’re about to cause a data breach and prevent these incidents before they happen.”
Arlington Research carried out the survey, which includes responses from 500 IT leaders and 3,000 remote working employees in the UK and US.
What do we learn about email risks from this report?
To some degree, there is nothing new in this report. Users emailing information either by accident or maliciously are causing breaches and always have. What has changed is that the level of email in 2020 increased substantially as users worked from home. The survey shows:
- 85% of employees are sending more emails than in 2019, raising the risk of a data breach
- 73% are under a lot of pressure working from home, and that is likely to lead to more mistakes
- 24% of email data breaches were caused by accidental sharing of data
- 79% of IT leaders have deployed and experienced difficulties using static email Data Loss Prevention (DLP) tools
- 24% of IT leaders say that half of all incidents won’t be detected by static DLP tools
- 83% of organisations have experienced an email data breach
That last stat is of major concern. It is higher than the percentage of data breaches caused by any other causes. Losses from the network, mainly through malware, were 79%, and messaging apps were 77%. It shows just how dangerous unmanaged email has become.
It all adds up to a staggering 178 incidents per year, which, for SMEs in particular, means that it is a common problem.
But is it fair to blame employees?
Every breach survey needs a fall guy, and in most, it is the users. However, looking more closely at the survey, there is a different story in play. It highlights four ways that data is lost through email:
- 24% data shared in error
- 24% data intentionally leaked
- 30% data exfiltrated through an external attack
- 18% third-party supplier security.
Each of these has different impacts on the business and creates its own challenges in remediation. User error is most often caused by autocomplete where the user doesn’t check the email address before hitting send. This can be reduced through better verification of who the user regularly sends files and data to. Another common cause is hitting reply all when intending to reply to just one user.
Stopping the deliberate leaking of data is much harder. At one level, behavioural analytics can catch the breach. But what if the user has the right level of access to the data and is sending it to an email address they use regularly? The Morrisons breach was exactly this scenario. It is hard to see how most tools would pick that type of breach up. This is where organisations need wider tools to spot malicious insiders.
Data exfiltrated through external attacks is often done through compromised credentials. Behavioural analytics and other technologies exist to catch this.
Third-party supply chain risks
Perhaps the hardest to deal with is third-party supplier security. Companies have little insight into how partners secure data. It means that the first they know about a problem is post-breach. With current data protection laws, including GDPR, this is a serious problem.
For example, if the data shared contains Personally Identifiable Information (PII), the company is the data controller. The third-party it shares the data with is the data processor. GDPR made the data controller just as responsible as the data processor. This means that a breach carries substantial financial risks for both businesses.
Even where the data is not PII, there is a risk of data being stolen and used against a company. For example, if a third-party has its email compromised, that email address can be used to create multiple attacks. For example, Business Email Compromise, where they pretend to be from a trusted partner and redirect payments to a fake bank account.
Working from home has raised the stakes
The report looks at the increased risks of employees working from home. This is not just about employees being more pressured or sharing more data with colleagues. There are specific issues about where and how they work.
For example, 5% work in a communal space with other people. 25% share a communal space, such as the kitchen, where others enter while they are working. Only 28% had a separate office for their own use to work without other people walking in and out.
As remote working is set to become more popular, organisations will need to ask employees’ questions about where they work. If the employee cannot be sure that data and emails are safe from third-parties, they might find work from home is less likely. For many who enjoy remote working, this is likely to be a blow. The question for employers will be how to support employees in creating a more secure environment.
Enterprise Times: What does this mean
There is a lot in this report that will make managers sit up and take notice. The increased risk from remote working is just one of these. Employees sharing more data through email is a major worry that most will want to address.
But, addressing these issues with DLP tools is unlikely to be easy. According to the survey, 56% of IT leaders have had clients ask about DLP tools. This is a wake-up call for those who have yet to deploy DLP tools. However, the survey also shows that a significant proportion of those who have implemented email DLP said they had problems. It sends a message to the industry to make it easier to implement.
There is also room for better training and help for users. Do users know what the compliance requirements are around email? Is data clearly marked as sensitive and not sensitive? How easy it is for a user to highlight a mistake?
For decades, email has dominated corporate communications, and this is unlikely to change soon. This report shows that many companies are far from coming to terms with the security implications. Perhaps 2021 will be the year email security comes of age.