Data Loss Prevention

How risky is sending a sensitive work email to the wrong person?

by Egress
Published on 20th Apr 2021

Sending a work email to the wrong person – it’s something all of us have done at least once in our working lives. For some people, it’s a regular occurrence. But just how risky is it?

Thinking back over your recent emails, you can probably pick out the ones that would have been worse to misdirect than others. In the best case it’s a non-issue or only slightly embarrassing.

However, when sensitive or personally identifiable data is involved, there can be serious risk to both yourself, your organization, and your organization’s clients.

Risks to your organization

If you accidentally email the wrong person within your own organization, it’s (usually) not a big deal. You simply apologize, amend the mistake, and move on.

When a sensitive email is accidentally sent to someone externally though, your business is dealing with a data loss incident. And when an individual makes a mistake that leads to email data loss, it tends to be their organization that pays the price.

US businesses have to navigate a variety of federal and state laws that aim to protect a citizen’s privacy and online data. There isn’t a central federal-level privacy law, like the European Union’s GDPR.

Instead, there are several vertically-focused federal privacy laws, as well as privacy laws at the state level. Some sector-specific laws also exist, in industries such as healthcare and finance.

In the Egress Data Loss Prevention Report, we spoke to 500 IT leaders across both the US and UK to find out how they’d been impacted by email data loss over the previous 12 months.

Even over this relatively short period, 83% of organizations reported their data being put at direct risk via email and 37% had seen damage to their reputation as a result. Of course, the impacts are never just inward-facing. When a data breach takes place, clients take notice.

Risks to client relationships

Something as simple as a misdirected can have serious knock-on effects when it comes to client relationships. For organizations who handle sensitive client data, it’s rarely just their own reputations that are at risk from a data breach.

Businesses are becoming much more careful about which third parties they let handle their data. Nobody wants to be dragged through a data leak story in the headlines – even if the fault lies with another organization.

Out of the IT leaders surveyed in our DLP Report, 56% had seen an increase in clients asking whether they had email DLP in place. Furthermore, 38% had experienced direct client churn as a result of an email data breach. In the most serious cases, 29% had been the subject of litigation by clients.

It’s not surprising businesses are becoming even more careful about who can handle their data. As we’ve seen, email data breaches are almost always bad news for organizations. But what about the risk to the individuals who cause the breach?

Risks to yourself

People who deliberately leak data can find themselves in serious hot water. There are serious legal consequences when people deliberately leak data, whether for profit or revenge. However, what about people who caused an email data leak through an innocent mistake?

Unfortunately, there can also be serious consequences for people who accidentally misdirect email.

In the Egress 2020 Outbound Email Report, we asked CISOs to reveal the outcomes of their most serious email data breaches in the previous 12 months.

Further action was taken against individuals in 78% of email data loss incidents, of varying severity. Just under half (46%) of people who caused a breach received formal warnings. Others weren’t so lucky.

In 27% of cases, the individual was fired, and in 28% of cases, legal action was taken against the employee. The good news is that misdirected email isn’t something you need to be fearful of – there are intelligent solutions out there that can help.

How to protect yourself from misdirected email

The worst-case scenarios for misdirecting a sensitive work email can have far-reaching impacts on organizations, their clients, and their individual employees. Mistakes aren’t going away any time soon though, and it would be unrealistic to expect that.

Neither is it productive to expect employees to double or triple-check every email they ever send.

The best solutions understand human behavior and adapt and learn from individual users, prompting them only when they’ve made a mistake. In other words, human layer security.

Egress Intelligent Email Security is an example of human layer security, as it uses machine learning to adapt each individual user’s behavior. It helps to catch context-driven mistakes such as adding the wrong recipient, attaching the wrong file, or forgetting to use Bcc instead of cc. There are no irritating productivity-dampening prompts either – it only alerts users to genuine risks based on their past actions.

If you’d like to learn more about how human layer security can keep you and your organization safe from data loss via email, please contact us to book a demo.

You might also be interested in ...

How to protect your business from data exfiltration

Get actionable tips on how to stop data leaving your business without your knowledge or consent. 

What is a misdirected email?

A ‘misdirected email’ describes an instance where an email is sent to the wrong person or the wrong attachment has been added to an email that has the correct recipients in it.

What is data exfiltration?

Understand how and why data leaves your organization without your consent.