Data Loss Prevention

How risky is sending a sensitive work email to the wrong person?

by Egress
Published on 20th Apr 2021
Impersonation Executive 1003X250 46Kb

Sending a work email to the wrong person – it’s something all of us have done at least once in our working lives. For some people, it’s a regular occurrence. But just how risky is it?

Thinking back over your recent emails, you can probably pick out the ones that would have been worse to misdirect than others. In the best case it’s a non-issue or only slightly embarrassing.

However, when sensitive or personally identifiable data is involved, there can be serious risk to both yourself, your organization, and your organization’s clients.

Risks to your organization

If you accidentally email the wrong person within your own organization, it’s (usually) not a big deal. You simply apologize, amend the mistake, and move on.

When a sensitive email is accidentally sent to someone externally though, your business is dealing with a data loss incident. And when an individual makes a mistake that leads to email data loss, it tends to be their organization that pays the price.

US businesses have to navigate a variety of federal and state laws that aim to protect a citizen’s privacy and online data. There isn’t a central federal level privacy law, like the European Union’s GDPR.

Instead, there are several vertically-focused federal privacy laws, as well as privacy laws at the state level. Some sector-specific laws also exist, in industries such as healthcare and finance.

In the Egress 2021 Data Loss Prevention Report, we spoke to 500 IT leaders across both the US and UK to find out how they’d been impacted by email data loss over the previous 12 months.

Even over this relatively short period, 83% of organizations reported their data being put at direct risk via email and 37% had seen damage to their reputation as a result. Of course, the impacts are never just inward facing. When a data breach takes place, clients take notice.

Risks to client relationships

Something as simple as a misdirected can have serious knock-on effects when it comes to client relationships. For organizations who handle sensitive client data, it’s rarely just their own reputations that are at risk from a data breach.

Businesses are becoming much more careful about which third-parties they let handle their data. Nobody wants to be dragged through a data leak story in the headlines – even if the fault lies with another organization.

Out of the IT leaders surveyed in our DLP Report, 56% had seen an increase in clients asking whether they had email DLP in place. Furthermore, 38% had experienced direct client churn as a result of an email data breach. In the most serious cases, 29% had been the subject of litigation by clients.

It’s not surprising businesses are becoming even more careful about who can handle their data. As we’ve seen, email data breaches are almost always bad news for organizations. But what about the risk to the individuals who cause the breach?

Risks to yourself

People who deliberately leak data can find themselves in serious hot water. There are serious legal consequences when people deliberately leak data, whether for profit or revenge. However, what about people who caused an email data leak through an innocent mistake?

Unfortunately, there can also be serious consequences for people who accidentally misdirect email.

In the Egress 2020 Outbound Email Report, we asked CISOs to reveal the outcomes of their most serious email data breaches in the previous 12 months.

Further action was taken against individuals in 78% of email data loss incidents, of varying severity. Just under half (46%) of people who caused a breach received formal warnings. Others weren’t so lucky.

In 27% of cases, the individual was fired, and in 28% of cases, legal action was taken against the employee. The good news is that misdirected email isn’t something you need to be fearful of – there are intelligent solutions out there that can help.

How to protect yourself from misdirected email

The worst-case scenarios for misdirecting a sensitive work email can have far-reaching impacts for organizations, their clients, and their individual employees. Mistakes aren’t going away any time soon though, and it would be unrealistic to expect that.

Neither is it productive to expect employees to double or triple-check every email they ever send.

The best solutions understand human behavior and adapt and learn from individual users, prompting them only when they’ve made a mistake. In other words, human layer security.

Egress Intelligent Email Security is an example of human layer security, as it uses machine learning to adapt each individual user’s behavior. It helps to catch context-driven mistakes such as adding the wrong recipient, attaching the wrong file, or forgetting to use Bcc instead of cc. There are no irritating productivity-dampening prompts either – it only alerts users to genuine risks based on their past actions.

If you’d like to learn more about how human layer security can keep you and your organization safe from data loss via email, you can explore our content hub for more information. Or if you’d like to start a trial, get in touch and we’ll be more than happy to arrange a free demo with your IT team.

You might also be interested in ...

How to recall an email in Outlook

Find out how to recall an email using Outlook. We also suggest other ways to stop sending emails to the wrong people in the future.

Egress named as a representative vendor in the Gartner Market Guide for Data Loss Prevention (DLP)

Industry analyst Gartner recently published their 2022 report on the state of the DLP market. They consider DLP a mature technology but do talk to the emergence of next generation data security tools for insider risk management and cloud use cases.

Accidentally received someone else's confidential email? Here's what to do

Learn how to respond if someone accidentally sends you a confidential email.