Email security remains a growing risk almost a year into widespread remote working
For employees in lockdown, email is a pillar of remote working communication (one of a trinity also featuring Teams chat and Zoom calls). We’re all sending and receiving more emails than ever, including at unusual times of the day as work and home life responsibilities blur, expanding it as a risk vector for data loss.
CISOs are aware of this, and our research at Egress finds that 94 per cent of respondents reported an increase in outbound email traffic since the onset of Covid-19, with one in two experiencing an increase of over 50 per cent. It’s also no surprise that 93 per cent say their organisation suffered data breaches through outbound email in the past 12 months. Shifting to remote and digital-first working has led to an even greater amount of data being accessed and shared by email. Organisations admit to what amounts to 180 incidents per company per year.
We see the sources of this risk every day: autocomplete suggesting a similar but incorrect recipient, the wrong file being attached, mistyping an email address, replying to spear phishing attacks, forgetting to BCC a contact, sending data to a personal email address or adding unauthorised recipients to a chain. These threats have not changed in all the time that email has been used to communicate for work, but the volume of email communication has increased the risk to unacceptable levels.
So what is a security team to do? Blaming employees or shrugging off elevated risk as a sign of the times is unlikely to fly with corporate leadership, clients and consumers. Regulators may have had a quiet 2020 for GDPR cases, but they will likely want to pick up where they left off when it comes to issuing fines for data breaches in 2021. The problem of human error is too prolific and difficult to predict and prevent using legacy approaches. Companies need to make structural changes.
First it is important to try to quantify the size of the risk. This requires an audit of your email infrastructure to determine the scale of errors in existing operations. You should include incidents such as misdirected emails with wrong recipients and attachments, as well as failure to use encryption and other policy violations, and examine times when transport layer security (TLS) should had been protecting data but did not. The results are likely to be worse than you would predict, but there are technical solutions that should allow you to automate much of the audit so you can arrive at them quickly.
Once you understand the scale of the problem, you can show senior management how much risk has increased. Doing so using hard data and demonstrating the new challenges posed by remote working will focus their attention and allow you to make the case for step-changes to outbound email security.
Legacy data-loss prevention (DLP) solutions have failed to mitigate human-activated risks, protecting data based on policy and sensitivity only, and not being able to respond to the context in which data is being shared. Thankfully, advances in contextual machine learning mean that it is possible to deploy intelligent DLP to detect and dynamically prevent data breaches. These can create a baseline of each individual user’s behaviour and relationships, as well as the data they typically handle. This allows the technology to validate in real-time whether each specific email and its attachments are going to the right recipients with the right level of security applied.
As well as addressing a rising source of security risk, investing in outbound email security has operational and financial benefits. Intelligent technology frees employees from restrictive controls to work more productively, with the reassurance that their safety net will alert them to incidents before they happen. Organisations able to provide clients with enhanced guarantees of efficiency and security are more likely to win new business and retain existing customers.
Email has been the primary method of data sharing in companies for decades and will likely remain so for the foreseeable future. Investing in getting it right will reduce breaches and enhance resilience for the long term.
For more information, click here.
by Sudeep Venkatesh, Chief Product Officer, Egress Software Technologies