“Tired and stressed” employees at root cause of most serious email data breaches
Egress today (16 September) released their 2020 Outbound Email Data Breach Report, in which 93% of IT leaders surveyed said that their organisation had suffered data breaches through outbound email in the last 12 months, with employees being tired or stressed cited as the most common factor in the most serious breaches.
The report found that rising outbound email volumes due to COVID-19-related remote working and the digitisation of manual processes are contributing to escalating risk. 94% of respondents reported an increase in email traffic since the onset of COVID-19 and 70% believe that working remotely increases the risk of sensitive data being put at risk from outbound email data breaches.
The study, independently conducted by Arlington Research on behalf of Egress, interviewed 538 senior managers responsible for IT security in the UK and US across vertical sectors including financial services, healthcare, banking and legal.
Other key insights from respondents include:
- The most common breach types were replying to spear-phishing emails (80%); emails sent to the wrong recipients (80%); incorrect file attachments (80%)
- 62% rely on people-led reporting to identify outbound email data breaches
- 94% of surveyed organisations have seen outbound email volume increase during COVID-19. 68% say they have seen increases of between 26 and 75%
- 70% believe that remote working raises the risk of sensitive data being put at risk from outbound email data breaches
When asked to identify the root cause of their organisation’s most serious breach incident in the past year, the most common factor was “an employee being tired or stressed”. The second most cited factor was “remote working”. In terms of the impact of the most serious breach incident, on an individual-level, employees received a formal warning in 46% of incidents, were fired in 27% and legal action was brought against them in 28%. At an organisational-level, 33% said it had caused financial damage and more than one-quarter said it had led to an investigation by a regulatory body.
Traditional email security tools are not solving this problem
The research also found that 16% of those surveyed had no technology in place to protect data shared by outbound email. Where technology was deployed, its adoption was patchy: 38% have Data Loss Prevention (DLP) tools in place, while 44% have message level encryption and 45% have password protection for sensitive documents. However, the study also found that, in one-third of the most serious breaches suffered, employees had not made use of the technology provided to prevent the breach.
Egress CEO Tony Pepper said: “Relying on tired, stressed employees to notice a mistake and then report themselves or a colleague when a breach happens is unrealistic, especially given the repercussions they will face. With all the factors at play in people-led data breach reporting, we often find organisations are experiencing 10 times the number of incidents than their aware of. It’s imperative that we build a culture where workers are supported and protected against outbound email breach risk with technology that adapts to the pressures they face and stops them from making simple mistakes in the first place. As workers get used to more regular remote working and reliance on email continues to grow, organisations need to step up to safeguard both employees and data from rising breach risk.”