Skip to main content

Avoid a €20m fine by improving email security

(Image credit: Image source: Shutterstock/Wright Studio)

The average employee will receive 121 emails throughout their working day. That is 121 potential threats to information security and compliance as it is estimated that 45 per cent of employees have accidentally shared or received (unauthorised) sensitive information in emails.

In today’s post-GDPR environment, organisations need to be conscious of how they handle data as the risks have increased significantly. For example, simply receiving unwanted or unauthorised data via email could result in a €20 million fine for the organisation.

New rules under GDPR stipulate that unauthorised access to personal data must be reported to a data protection regulator, as the information could have a detrimental impact on both the business, as well as the individual concerned. Therefore, if employees receive emails that contain sensitive information and disregard the email without deleting or reporting the occurrence, the whole firm is liable for irresponsible data handling.

While it may sound simple enough, there are a variety of ways that employees can acquire unwanted data via email communication.

‘The wrong Dave’ scenario

Employees regularly find themselves in a situation where they need to send an email to a specific colleague with information concerning an internal account. However, in many situations, there is more than just one employee with the same first name – for example, David (‘Dave’) – and in a hurry, the email containing the sensitive material is sent to the wrong Dave. Only after the email has been sent does the employee realise the error they have made and by then, it is already too late; ‘the wrong Dave’ has now been sent sensitive data they would not have otherwise had access to.

If this mistake goes unaddressed, the company that Dave works for could be fined under GDPR, or other data protection acts, such as Payment Card Industry Data Security Standard (PCI DSS) if the email contains financial details. Alternatively, if the wrong Dave merely deletes the contents without alerting the appropriate department who can correctly ‘cleanse’ the email and archive systems, that sensitive information will remain stored on the corporate network. This could leave the organisation vulnerable to additional costly work to find or ‘discover’ the data as well as compliance fines should the matter become apparent later through an audit check, a ‘right to be forgotten’ (RTBF) request, or – in the worst case scenario – a data breach.

The customer service crisis

Email is one of the easiest means of communication for customers to contact a business or organisation regarding a service or order. Rather than calling a help desk or using a secure portal to contact a customer service team, customers will often email organisations using a generic ‘info@’ email address (which multiple employees have access to), or email employees direct with an enquiry or request. In many of these cases, the email from the customer may include not only personal information, but other sensitive data that not all employees should have access to. For example, an account number would suffice for a customer service representative to locate a past request or order in a dedicated and secured system, but the customer may also email across their full name, telephone number, home address to make the query as easy as possible.

While employees are most likely to not think twice about receiving, and handling, this kind of information in their Inbox and just look at the process as part of assisting the customer, there is essentially a major compliance issue attached to this. The customer email holds personal details and information that only select employees should have authorised direct access to. This data is also classed as unstructured data as it is not presented in the form of a database. Customer data needs to be appropriately secured so businesses can remain compliant with GDPR regulations.

Deceived by hidden data

Simply receiving critical data in the body of an email is just the foundation of the problem in relation to obtaining unwanted data. A file might have been sent to an employee, however, unknown to the sender, there may be hidden metadata attached to a Word files, or hidden columns within a spreadsheet that contain sensitive information that should have been removed before the email was sent.  This unwanted data acquisition makes it even more challenging for organisations to locate and protect or delete sensitive data in order to execute right to be forgotten (rtbf) requests and comply with GDPR in general.

Mitigate the Risks

To alleviate the risk of being caught out by unwanted data acquisition, organisations should implement a number of steps that both improve the employee mind-set around receiving sensitive information via email, as well as enforce rules that ensure unwanted data acquisition is reduced.

The first step will always be around employee awareness. Ensuring employees know the risks and consequences around obtaining sensitive data that they shouldn’t have access to will help to create a culture of awareness and responsiveness; this will also ensure employees are taking more care with sensitive customer data and make them more aware of how they work with it on a day-to-day basis.

It has become a necessity for businesses to implement official processes and policies around data handling and sharing so both current and new employees do not fall out of the habit after their initial training. Making sure these are up to date when new compliance pieces come into effect will also help to mitigate the risk.

Following this, technology should also be deployed to prevent the risk of mistakes, acting as a safety net for businesses. Technology can support GDPR compliance by automating manual data protection processes, enforcing security policies, and providing visibility of data passing in and out of a network. Adaptive security systems can be set up swiftly, automatically and consistently to redact personal information, credit card data, hidden metadata or other sensitive information out of various files types (including images) shared through email, based on policy. By implementing these 3 steps, businesses are able to reduce compliance issues caused by employee mistakes. It also means that any data that is shared with unauthorised users can be dealt with and rectified quickly.

Dr Guy Bunker, SVP of Products, Clearswift
Image source: Shutterstock/Wright Studio

Dr Guy Bunker
Guy is the SVP of Products for cyber security company Clearswift. He is an internationally renowned security expert with over 20 years’ experience in information security and IT management.