In most organisations email security is a top priority. In practice, however, the why, what, for who and how of wanting to improve email security varies greatly between, and even within, organisations. This diversity seems to stem mostly from a lack of a complete overview of how important email security is, what it entails, what problems it can solve and the broad range of value it can bring to different stakeholders.
Email’s popularity is unabated
According to research by The Radicati Group, employees spend, on average, over two hours per day dealing with 130 business emails.
Radicati also estimates that the total number of worldwide emails sent and received each day will exceed a staggering 300 billion during 2020, which is testament to its popularity!
And with an expected yearly growth of more than 4 per cent, email is, and will remain - for at least the next decade - the most important form of communication by organisations.
Email is so popular and in wide use for three main reasons:
- Standardisation - enables different vendors developing different tools with different features to align with the needs of different types of users without affecting their communication partners’ experience.
- Simplicity - almost everyone in the western world has an email address and uses it. Today, the number of email users has grown beyond 4 billion. That is because email is so easy to understand and use.
- Habit - until the emergence of WhatsApp, email was the only digital communication solution available to, and used by, a broad audience. And because it is simple to use, it was adopted by many individuals and also many businesses as their primary form of digital communication. Although a lot of people know and feel the limitations of email, most of us keep on using it because changing behaviour – especially in the workplace - is one of the most difficult things to do.
The what and why of email security
According to Gartner, “Email security refers collectively to the prediction, prevention, detection and response framework used to provide attack protection and access protection for email”. Or, to rephrase that, everything that’s required to prevent data leaks related to the use of email.
IT-oriented people tend to interpret email as the technology behind email, like SMTP. Preventing data leaks related to the use of emails, however, requires looking at email as a ‘use case’; how do different people use it and to do what activity? Technology is, of course, an important aspect, but it’s only there to support the use case. When organisations seek ‘secure email’ they express the need to secure their way of working and the current tools they use for email, such as Outlook, without (probably) really caring about technology.
Another point to consider here is; having first been developed in the 1960s, email was just not built for security. Over the years various attempts have been made to add security to email, with transport encryption (STARTTLS), mail server authentication (DANE) and spoofing and spam protection (DMARC, SPF, and DKIM) becoming standards.
Most of these standards, however, are optional; not widely adopted and they don’t fix problems such as phishing. They also lack any form of end-user authentication. In addition, it has become increasingly clear that these pure technical standards do not mitigate the biggest data leak risk of all: People!
Mitigating the risks of human error
Under GDPR, every EU country needs to have an independent body that organisations are obliged to report data leaks to. In the UK, the Independent Commissioner’s Office (ICO) has been tasked with this role, and will – it is anticipated - continue to do so, at least during the 11-month post-Brexit transition period. (After that time, it will still be necessary for all UK organisations handling or processing EU citizens’ personal data to report data leaks, in order to comply with the EU’s GDPR.)
Looking at the causes of data leaks in different reports, they reveal that the vast majority are not linked to cybercrime. In the UK, for example, 81 per cent of data leaks reported to the ICO during Q3 2019-20 were non-cybercrime related, while in The Netherlands this figure was even higher, with over 95 per cent reported to the Dutch Data Protection Authority.
In both countries, the biggest cause of data leaks was human error. These mistakes included sending information to the wrong recipient; adding the wrong attachment, or an attachment with unintended sensitive information; or exposing recipient information via the ‘To’ or ‘Cc’ email fields, when ‘Bcc’ should have been used.
Another important cause of data leaks was unauthorised access to data, usually due to people using weak passwords lacking two factor authentication (2FA).
To help employees avoid making mistakes when sending information via email or file transfer, organisations need to do the following in conjunction with a trusted IT security provider:
- Increase employee awareness: named as one of the most important measures in GDPR, and similar legislation, and the key to targeting the source of most data leaks: employees.
- Prevent misaddressed emails: The number one cause of data leaks.
- Prevent unintended sharing of sensitive info: This is a big part of the human error problem, having caused 81 per cent of all UK data leaks last quarter.
- Prevent improper use of the ‘Bcc’ field when emailing: In the UK, the ICO’s most recent data security incident trends report has ‘Failure to use bcc’ as a separately listed cause, due to its frequency and potential impact.
- Protect data from unauthorised access: This is the ultimate goal of all legislation related to privacy and protection.
- Guarantee message encryption: As email encryption is opportunistic, trying to encrypt without guarantee - instead of enforcing – does not comply with GDPR, HIPAA, etc.
- Limit impact of data leaks: This is another of the named actions that legislation including GDPR requires organisations to adhere to.
- Apply data retention policies: A specific measure that is central to legislation such as GDPR.
- Identify all risks: This is the key to understanding how to improve data leak prevention, and is essential for security and compliance.
- Measure the effects of measures: Both at the end and the beginning; improving security is about applying measures and measuring their effectiveness.
Outbound email security: Prevent data leaks and increase productivity
People often think of email security as a tool to protect an organisation from phishing, malware and the interception of data, i.e. outsider threats. But, as detailed above, these are no longer the biggest problems from an information security perspective. Instead, the main email threat is from insiders – even though most instances of data loss are accidental.
To tackle the human error data leaks conundrum, organisations need to focus much more on outbound email security and protecting data from unauthorised access by enforcing two-factor authentication. If organisations do that – and manage to do so in a way that is user-friendly for employees, as well as easy to set up and maintain – they can unlock the additional benefits of email security, which include:
- Increasing productivity by using email instead of snail-mail, fax and USB sticks.
- Lowering costs via reduced use of snail-mail, USB sticks and couriers.
- Less use of costly, ineffective portals.
- Lowering costs of manually copying information to a source system.
- Strengthening brand value (via an outbound email security solution that enables customers to add their company logo and corporate branding to each secure message that is sent).
To summarise, preventing data leaks is a key priority in any organisation, either to comply with the EU’s GDPR (or similar legislation), protect company reputation, prevent fines or save the costs associated with losing sensitive information.
In recognition of human error being the main cause of data leaks, organisations need to wake up to the fact that they can do something about it; they can help their workers to reduce mistakes. Easy to use outbound email security combined with positive and engaging security awareness training will, almost certainly, boost employee morale and improve performance, to the benefit of the entire organisation.
Rick Goud, CEO & Co-founder, ZIVVER