We look at one of the most common causes of charity data breaches
Data breaches can be hugely costly to charities, both in direct financial terms, and also in terms of loss of trust and loss of reputation. That’s one of the key reasons that charities should take strenuous cyber security measures to mitigate the risk of a data breach caused by cyber criminals.
But it’s important to remember that cyber crime is not the most common cause of breaches of private information. The Information Commissioner’s Office data shows that in fact the most common cause is misdirected emails.
In the most simple terms, a misdirected email is an email message or an attachment that ends up being sent to one or more people that were not intended recipients. There are three common ways that that can happen:
1. A user sends an email to the wrong email address. This can happen if an email address is typed in incorrectly (email@example.com instead of firstname.lastname@example.org), or if the user simply chooses the wrong person to email (for example the chief executive of one company instead of another company).
In order to help reduce the incidence of typos in email addresses, many email programs such as Outlook have an “autocomplete” feature which suggests and fills in the rest of an email address after the first few letters have been typed. Unfortunately, autocomplete can actually cause as many misdirected emails as it prevents, because it is all too easy to allow it to fill in an email address without noticing that it is not in fact the intended one.
2. A user clicks on “Reply to all” instead of reply, thereby replying to the sender of an email without realising that they are sending the email to potentially hundreds of other people. A user may also use “Reply to all” without noticing that more people have been added to the CC field than may have been the case earlier in the email conversation.
A variation of this is when a user sends an email with many email addresses in the Cc field when they should have been in the Bcc field, thus breaching the privacy of the people whose email addresses have been publicly shared.
3. A user sends an email to the intended recipient, but adds the wrong attachment. It is very easy to click on the wrong file to attach to an email, and when this happens it is unlikely to be detected before it has been sent.
Misdirected emails account for so many data breaches because of the sheer scale of email communications. To get it into perspective, more than 300 billion emails are sent every day. According to statistics compiled by email security company Tessian, organisations with more than 1,000 employees send around 800 misdirected emails every year, or over two per day, on average.
Of course not every misdirected email leads to a data breach, but emails containing the wrong attachment appear to be most worrying. Tessian research found that almost a third of misdirected emails caused legal issues for the organisation that sent it, perhaps because attachments by their very nature tend to contain more information, expressed more formally, than the typical contents of an email message.
Perhaps the most important thing your charity can do is highlight the problem of misdirected emails to staff. That’s to make sure that they understand the importance of paying attention to the email addresses that they enter and the files that they attach, and the consequences of making mistakes. In practical terms, this means staff need to check every email and attachment every time before they press “send”.
However, even the most conscientious people can and do make mistakes for a variety of reasons. 52% of people questioned by Tessian said that they tended to make mistakes when tired and, worryingly, 93% said that they were in fact tired at some point during a typical working week.
Below are some other steps to consider.
Despite being intended to cut down on typos in emails (as well as making email address entry quicker and easier), the autocomplete feature of many email programs is a key cause of misdirected emails. Here are some things that staff can experiment with to reduce the likelihood of misdirected emails:
A different tactic for reducing misdirected email errors is to add a delay between when a user presses “send” and when the email is actually sent by the program. In the meantime the email is held in an outbox, providing an opportunity for a user to check that they have not made any mistakes – especially if they realise after they send an email that they have made a terrible mistake.
Perhaps the most effective way of preventing email misdirection, but also the most expensive, it to use email checking software which is available from a number of vendors including Tessian and DocsCorp.
These programs work in a number of ways, but essentially they look at recipient email addresses and use a simple form of artificial intelligence to assess if messages are “high risk” and need to be checked before sending. For example, an email sent internally to a colleague is likely to be assessed as lower risk that one sent to an external company address or an address at a public provider such as Gmail. The programs also allow users to blacklist certain addresses so that warnings are always issued before email is sent to them.