Thought leadership

Are organizations taking outbound risk seriously enough?

by Egress
Published on 13th Jul 2022

For many organizations, the rise of remote working brought on by the COVID-19 pandemic has significantly increased email communication. Our 2020 Outbound Email Security Report revealed that 94% of organizations experienced increased outbound email traffic due to remote working during the pandemic. 

This increase in outbound email traffic also increased outbound security risk. The report revealed that 93% of organizations suffered an outbound data breach in the same 12 months. 

Many organizations still rely on Microsoft 365's defenses to protect them from advanced attacks. However, while this provides a good foundation of protection, it is clear that Microsoft 365 security is not sufficient on its own.

In our most recent report, Cybersecurity experts' views on email risk within Microsoft 365, we spoke with three experts to gain insights into how organizations can reduce outbound email risk within their Microsoft 365 deployment. 

In this article, we have featured some key quotes from the report from Lisa Forte, Co-founder, Red Goat Cyber Security LLP; Robin Bell, CISO, Egress Software Technologies; and Jack Chapman, VP of Threat Intelligence, Egress Software Technologies. 

Many organizations wrongly assume that Microsoft 365 security is a sufficient mitigation

Robin Bell admits that he does not think that organizations are taking outbound risk seriously enough. "I think for many organizations, it is easier to ignore the problem or assume that having Microsoft 365 security is a sufficient mitigation," he says. 

Egress research shows that 85% of organizations using Microsoft 365 have suffered outbound email data breaches. That suggests there are significant security gaps in the software that are still allowing outbound data breaches. These occur via human error such as misaddressed emails and incorrect attachments, people breaking security protocols, and deliberate or malicious exfiltration.

"It's understandable, as Security and IT teams have so many different areas of risk to manage, and they can be overwhelmed with data from the tooling they've deployed," says Bell. 

Outbound email mistakes cost businesses the most

According to Lisa Forte, we are beginning to see a shift in perspective when dealing with outbound risks. "More organizations are asking questions and starting to see not only the risks that exist but actually how much those risks cost," she says. 

Many people are surprised to learn that non-malicious insiders are significantly more common than malicious insiders. That makes them one of the biggest risks organizations face. However, many organizations still focus most of their efforts on deterring malicious insiders. 

"Speaking to a CISO at an event recently, he astutely observed that outbound email mistakes cost businesses the most. He felt that the 'sexier' threats we tend to focus on may not be impacting your bottom line as much as a simple mistake by an employee. It made me realize that it isn't just the data and the reputation risk that matters; it is probably costing you a lot of money too."

It's not just data, reputation, and money on the line. For some organizations, employee mistakes can put people's health and their lives at risk. In 2019, an employee at a gender identity clinic in London accidentally cc'd email recipients instead of bcc'ing them, exposing the identity of almost 2,000 people on the list. As one of the clinic's patients pointed out, "It could out someone, especially as this place treats people who are transgender." 

That isn't the first time such an incident has happened. Previously in 2016, an NHS Trust was fined £180,000 after a sexual health center accidentally leaked the details of nearly 800 patients who had attended HIV clinics.

People underestimate the damage that can occur from a simple mistake

Jack Chapman says, "It is part of the challenge that organizations segment inbound and outbound email risks from each other, rather than looking holistically at email risk.'"

Chapman continues, "With outbound risks, in particular, people often underestimate the damage that can occur from a mistake, rather than something malicious. This has a greater impact on the evaluation of outbound risks vs. inbound risks."

No matter how much money we pour into security training, we will never be able to prevent employees from making mistakes. However, we can implement mitigations to help catch these mistakes before they wreak havoc. That’s why to fully protect against outbound risks, many organizations choose to augment their Microsoft 365 defenses. 

You can download our report to learn more about augmenting your Microsoft 365 defenses and access the full range of insights from the experts.