As British troops evacuated vulnerable Afghans from Kabul last year, the Ministry of Defence found itself in the midst of three significant data breaches. The problem wasn’t hackers from a foreign power, or infiltration using malware, or even a denial of service attack bombarding the MoD’s servers. It was something a lot simpler: human error.
On three occasions, it emerged, the names and email addresses of 268 Afghans had been accidentally exposed in emails that were sent using the “carbon copy” (cc) field instead of the “blind carbon copy” (bcc) field. The consequences, if the names fell into the wrong hands, were potentially life-threatening.
Though the stakes of that particular leak were unusually high, outbound email leaks such as this are common and, according to Steven Furnell, professor of cyber security at the University of Nottingham, they tend to happen for two main reasons.
“One is carelessness, rushing to do something – attaching the wrong thing, sending to the wrong people,” he says, describing how he is often on the receiving end of emails sent in error because people have typed “Steve” into the address field, and the email software has automatically added his email address instead of the correct one.
The other problem is that it can be hard to differentiate one computer file from another. A text file might contain top-secret business information or tomorrow’s canteen menu. And a spreadsheet might be your fantasy football scores or the quarterly financial results. So it’s unsurprising how carefree we can be when attaching a file, and hitting “send”. It can be hard for people to “appreciate the value and the significance of the material that they’re attaching, and the potential mismatch between that and who they’re sending it to”, says Furnell.
Other recent issues include a leak earlier this year on the Isle of Wight, when the local council inadvertently emailed out details of families who were home schooling, and the government service provider Serco, when it was recruiting for contact-tracing posts during the pandemic, accidentally revealing to applicants the names and details of other people who had applied.
“The lion’s share of data leaks are not caused by sophisticated hackers, but by outbound errors, or certainly errors in communication, by employees within companies,” says Robert Fleming, chief marketing officer at the email security firm Zivver.
In fact, according to the most recent security trends report from the Information Commissioner’s Office, 75% of reported security incidents were down to what it calls “non-cyber” reasons, such as mistakes when sending email, including sending personal data to the wrong recipients.
It’s not surprising then that outbound leaks are something that IT professionals worry about. For its Freedom to Focus report, Zivver surveyed 6,000 IT leaders worldwide, and found that 43% cited data loss through employee email error as a major concern, narrowly behind only malware (48%) and phishing (46%).
“Companies are spending millions on secure gateways, malware detection, and even on paying off ransomware threats, so why aren’t enough companies protecting their employees from making mistakes on their outbound communications too?” asks Fleming.
Some businesses have already got the message, including the workplace management firm Best Companies, which turned to Zivver for help.
“We work with governments, we work with defence contractors, we work with law enforcement agencies and, in some cases, it could be a matter of life or death if the data we hold gets out into the public domain,” says its CEO Jonathan Austin. “We wanted to figure out how to take the pressure off our colleagues and protect ourselves.”
So what can businesses and organisations do to protect against data leaks? One obvious mitigation is to offer employees better training, but with Zivver’s survey finding that 64% of employees disregard their security training in its entirety, this isn’t completely foolproof.
“Three-quarters of IT leaders said in that survey that they believed data security training alone would reduce email security mistakes,” says Zivver’s Fleming. “But then a third of the employees surveyed said that they hadn’t received any security training. And a further third, who actually had received the training, said they had not actually used anything they had learned.”
A more technological solution is required, not least because if a business doesn’t have an approved solution to a file transfer problem, employees may take risks themselves.
“You’ve got platforms where people can set up personal accounts and put corporate information into them, not remotely considering the data protection legislation or rules that sit alongside where the service is, based on where the data might end up residing,” says Furnell. “So you’ve potentially got an increasingly leaky sieve, depending on what services the organisation officially uses, and what shadow services employees might have identified to get the job done for themselves.”
What’s needed is a platform that will empower employees to work securely.
“People make mistakes,” says Fleming, “so it’s important for employers to put in place appropriate measures to empower staff to work securely, so that all the onus isn’t on the employee. Saying ‘attend this extremely dull security awareness training’ is not good enough.”
And this is where a solution such as Zivver comes in. Its platform interacts with every step of the email and file transfer process to keep data secure.
“If I try to send an email to someone I’ve never met before, attaching our company’s profit and loss statement, smart technology will intervene, based on business rules and machine learning, and ask me if I really want to send such confidential information to a new contact,” explains Fleming.
Once an email has been sent, Zivver’s secure transportation layer securely delivers it to the recipient, using asymmetric encryption and zero access technology, meaning that not even Zivver can read the contents of an email or its attachments. And when it arrives, Zivver confirms that the recipient has received and accessed the email.
It is this type of seamless smart technology that Fleming believes can take a bite out of outbound data leaks. “It’s got to be effortless, it’s got to be easy to use,” says Fleming. “Because if it’s super complicated to be secure, you’re asking too much of your employees. Basically, they’re just not going to do it.”
And that, ultimately, is why Best Company’s Austin turned to Zivver – to protect outbound security in a way that wouldn’t make life harder for his team. “From a data communication perspective, and when sharing sensitive information, Zivver ticks all the boxes,” he says. “People love the peace of mind it gives them.”
Fleming adds: “Your employees are your biggest assets, so you’ve got to empower them to do their day-to-day work as effectively and productively as you can. And to do that, you have to help them be secure in their day-to-day work.”
Secure your digital communications now. To find out how Zivver can help, click here
