Unintended recipient: Why is email still such a risk to data?
Unintended recipient: Why is email still such a risk to data?

The most pervasive communications channel for most organisations worldwide, email, is also one of the most prominent and underestimated data loss vectors, primarily due to human error, which an IBM report estimated was responsible for 95 percent of all security incidents. 

By design, it's an open portal to your organisation, allowing employees to communicate with clients, bosses and each other with relative ease and ubiquity. However, some of the things that make the protocol so lightweight, and easy to use are also those that make it challenging to secure in any meaningful way.

Email is used in innumerable different ways – it's fairly likely that no two people order their email and processes the same, let alone two separate organisations. Employees use it for anything and everything – from sending sensitive data to clients, to discussing personal plans. The versatility of email makes it ultra-convenient but also adds to the risk of content being shared with the wrong people. 

Unlike other messaging platforms, there's no need for sending and receiving parties to use the same email provider, client or server. Because of its pervasiveness, email has become the go-to technology for sharing information within the enterprise. Gone are the days when people accessed their email solely from their desk. Employees manage their emails on laptops, smartphones, tablets and even watches. This ease of access increases the volume of information transactions and also the speed of email communication, thus making it considerably more prone to human error.

As businesses of all sizes increasingly rely on email as a primary business management tool, the risk that unintended recipients receive sensitive information grows. Email is an open door to an organisation's network, allowing employees to freely communicate with practically anyone by typing a single address. However, the attributes that make email so popular and useful, are the very aspects that make it highly vulnerable to inadvertent data loss.

There have been a number of high profile companies involved in data loss incidents caused by misaddressed emails, companies who undoubtedly had industry standard information security protection. Organisations operating in the legal, healthcare, and financial sectors, among others, are having to handle and communicate confidential data as a matter of course, often sending it externally via email.

Misaddressed emails don't have a common format, no readily identifiable shared traits, and no signature that data loss prevention (DLP) software can look out for – this makes them incredibly difficult to prevent with any degree of accuracy. The Information Commissioner's Office (ICO) reported in 2017 that more than 80 percent of all data lost due to human error was because of misaddressed emails, and almost ten percent was caused by a failure to BCC. While DLP solutions do exist for email, many are disruptive, incomplete, and inefficient, and most do a poor job of preventing misdelivery. 

A common attitude towards enterprise-level information security is “the bigger the better.” A network needs to sit behind a state-of-the-art firewall, countless proxies, and support the highest levels of encryption. This way of thinking is invaluable when preparing for most information security risks, but completely impractical for dealing with accidental outbound leaks: no anti-virus is going to pick up on a typo and prevent an email being misaddressed. Most organisations are unprepared to deal with data lost through human error, and many don't realise how big a security risk it is

Contributed by Tim Sadler, CEO and co-founder at Tessian

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.