The Weakest Link in Cybersecurity

Written by

Around 269 billion emails are sent every day. At that rate – and given the technology was developed decades ago – you would anticipate that by now we’d have got to grips with how it works.

Yet the evidence would suggest that we’re still struggling. ICO data between January and March 2017 showed that 11% of data breach incidents reported were the result of information sent by email to the incorrect recipient, just short of the 13% resulting from all ‘cybersecurity incidents’ (such as exfiltration, phishing, DDoS attacks and so on) in the same time frame.

Worse still, it was up 20% from the previous quarter, suggesting that email security is, in fact, a growing threat for business. While it’s worth bearing in mind that these numbers only relate to incidents reported to the ICO – and there’s likely to be many more breaches, either by email or otherwise, left unreported (or unknown) – it’s clear there is a problem.
I would be surprised if there are many of us who can claim to have never experienced that stomach-drop moment of realizing you’ve hit send and your email is heading into the inbox of the wrong person – or persons. It’s what we call the ‘wrong Bob’ or the ‘fat finger’ scenario. It’s all too easy to do, particularly with the autofill function on most email clients. And while some of these day-to-day mishaps are harmless and simply require an apologetic response and redirect of the message, often the consequences can be far more damaging.
There are countless examples and in many of them it’s not simply an individual affected, but businesses and communities of people. Take, for example, an incident reported just a few weeks ago where a Newcastle City Council worker accidentally attached the details of thousands of children and their adoptive parents to an email and sent it to 77 people being invited to a party. While the ICO is yet to reveal any financial penalties for the mistake, should the names and addresses of these vulnerable people have fallen into the wrong hands, the consequences would be far worse than any punitive action from the ICO.
In a similar 2015 incident, an employee at an HIV clinic in London accidently revealed the email addresses of patients and service users receiving its newsletter by entering their addresses in the ‘To’ field rather than ‘Bcc’ one. In this incident, the organization was fined £180,000 for a serious breach of privacy.
While these examples have made the headlines for their data security implications, the consequences of human error can be equally problematic for businesses. Contracts emailed to the wrong people, HR documents sent to the wrong employee, confidential client details forwarded to a competitor. The risks in email are rife.
We’re looking the wrong way
Cybersecurity is big business – and for good reason. According to the Data Breach Level Index, more than nine billion data records have been breached or stolen since 2013. That’s more than five million every single day. Despite increasing awareness of the importance of security – both for businesses and consumers – that number keeps on rising. But is that because we’re focusing our attention in the wrong place?
While sophisticated hacks orchestrated by groups of cyber-criminals are widely publicized and make good headlines and advanced, innovative technologies have been developed to combat these threats, data from Gartner almost 60 percent of privacy failures are caused by employee error. Yet, when it comes to securing staff’s email, we’re not much further along that we were 10 years ago.
Avoiding the send button
Tools are beginning to emerge to help with the problem. Gmail for Business, for example, will now provide a warning when you are emailing someone outside of your organization and contact list, but more advanced solutions are needed to really benefit – and protect – users.
There is a vast amount of data available that can provide insight into the behaviors of employees – from who they typically email, what attachments they usually send those people, keywords frequently used in those correspondence, all the way through to the times of day they are usually active and who they’d usually include in the same emails. These can all be used as identifiers and markers to determine when a mistake is being made.
Such technology, used in conjunction with encryption for sensitive documents and engaging employees in data security, may well save the reputations of countless organizations and individuals, and, more importantly, the privacy of innocent and unknowing parties. Finally email will have the innovative security it actually needs.

What’s hot on Infosecurity Magazine?