[BreachExchange] Unintended recipient: Why is email still such a risk to data?

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jun 13 10:01:28 EDT 2018


https://www.scmagazineuk.com/unintended-recipient-why-is-
email-still-such-a-risk-to-data/article/767090/


The most pervasive communications channel for most organisations worldwide,
email, is also one of the most prominent and underestimated data loss
vectors, primarily due to human error, which an IBM report estimated was
responsible for 95 percent of all security incidents.

By design, it's an open portal to your organisation, allowing employees to
communicate with clients, bosses and each other with relative ease and
ubiquity. However, some of the things that make the protocol so
lightweight, and easy to use are also those that make it challenging to
secure in any meaningful way.

Email is used in innumerable different ways – it's fairly likely that no
two people order their email and processes the same, let alone two separate
organisations. Employees use it for anything and everything – from sending
sensitive data to clients, to discussing personal plans. The versatility of
email makes it ultra-convenient but also adds to the risk of content being
shared with the wrong people.

Unlike other messaging platforms, there's no need for sending and receiving
parties to use the same email provider, client or server. Because of its
pervasiveness, email has become the go-to technology for sharing
information within the enterprise. Gone are the days when people accessed
their email solely from their desk. Employees manage their emails on
laptops, smartphones, tablets and even watches. This ease of access
increases the volume of information transactions and also the speed of
email communication, thus making it considerably more prone to human error.

As businesses of all sizes increasingly rely on email as a primary business
management tool, the risk that unintended recipients receive sensitive
information grows. Email is an open door to an organisation's network,
allowing employees to freely communicate with practically anyone by typing
a single address. However, the attributes that make email so popular and
useful, are the very aspects that make it highly vulnerable to inadvertent
data loss.

There have been a number of high profile companies involved in data loss
incidents caused by misaddressed emails, companies who undoubtedly had
industry standard information security protection. Organisations operating
in the legal, healthcare, and financial sectors, among others, are having
to handle and communicate confidential data as a matter of course, often
sending it externally via email.

Misaddressed emails don't have a common format, no readily identifiable
shared traits, and no signature that data loss prevention (DLP) software
can look out for – this makes them incredibly difficult to prevent with any
degree of accuracy. The Information Commissioner's Office (ICO) reported in
2017 that more than 80 percent of all data lost due to human error was
because of misaddressed emails, and almost ten percent was caused by a
failure to BCC. While DLP solutions do exist for email, many are
disruptive, incomplete, and inefficient, and most do a poor job of
preventing misdelivery.

A common attitude towards enterprise-level information security is “the
bigger the better.” A network needs to sit behind a state-of-the-art
firewall, countless proxies, and support the highest levels of encryption.
This way of thinking is invaluable when preparing for most information
security risks, but completely impractical for dealing with accidental
outbound leaks: no anti-virus is going to pick up on a typo and prevent an
email being misaddressed. Most organisations are unprepared to deal with
data lost through human error, and many don't realise how big a security
risk it is
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180613/34a1e3bd/attachment.html>


More information about the BreachExchange mailing list