A ‘misdirected email’ describes an instance where an email is sent to the wrong person or the wrong attachment has been added to an email that has the correct recipients in it. This is an act everyone has committed and can happen for any number of reasons. A common culprit is Microsoft Outlook’s autocomplete functionality, which can be great for productivity but often not so good for misdirecting emails. For example, it is very easy to accidentally add ‘Rachael’ instead of ‘Rachel’ when using autocomplete.
Similarly, when we’ve talked to people who have accidentally misdirected emails, feeling pressurised frequently led to this mistakes - and it's not just those in stereotypically stressful jobs that can feel like this: simply using email can create this feeling. (The average office worker receives 121 emails per day, and answering an email can lead to 20+ minutes of unproductivity, temporarily decrease IQ by 10 points, lead to bad job performance, and leave workers frustrated!) Other factors that lead to misdirected emails like being tired or not feeling well, and sending emails using mobile devices have all had their parts to play in this issue.
And this problem isn't going away. Statistics from the Information Commissioner's Office (ICO) showed 60% of breaches to personal data are the result of human error, with 43% of these caused by incorrect disclosure. Nearly one-fifth of these incidents (18%) were caused by emailing incorrect recipients, including failing to use to the Bcc field.
What are the consequences of a misdirected email?
In some circumstances, misdirected emails can simply be inefficient and embarrassing. When an email and/or attachment doesn’t contain any sensitive data, then the person just needs to be made aware, apologize, and resend their email to the correct recipient.
However, most employees will use email at some time or another to share sensitive information. This could be client data, service users’ personal data, or even project IP that’s private to their organization/authorized third parties. Where data of this kind is sent in a misdirected email, the outcome is typically more severe.
Data privacy regulations are only getting more stringent. In Europe, GDPR set the tone for how organizations need to protect sensitive information in the digital age. In the US, we’re seeing states following this trend, with the California Consumer Privacy Act (AB-375) being one of the strictest regulations when it comes to protecting data. The penalties for non-compliance can be severe – opening organizations up to significant fines and litigation from affected data subjects. Media coverage/reporting of the breach can have impacts on organizations’ reputations and, in some cases, limit the careers of the individual(s) involved.
How can you prevent misdirected emails?
The good news is that advanced DLP and machine learning technology can prevent email data breaches.
Older style, static DLP technologies don’t have the flexibility required to catch misdirected emails. They are based on established and known rules, and while actions such as blacklisting certain domains can be helpful, they can’t cater for use cases where we need to ensure the right information is sent to the right recipient at a certain domain to prevent a misdirected email.
For example, they can determine that case or project information associated with the number “XX-123456” can’t be sent to the domain “@companyX.com”. So, if that one type of static rule is all that you need, then you’re doing ok. However, data sharing requirements are usually more complex than that. They might be something along the lines of a user is permitted to send information with the associated number “XX-123456” to Recipient A at “companyX.com” but not to Recipient B.
For the latter use case, you need something more intelligent. You need machine learning technology that can inspect the content in an email and its attachments, and determine whether it is suitable to be sent to the recipients added to an email chain. Where that is not the case, and an email is about to be misdirected, the sender needs to be notified so that they can correct the problem.
In addition, this advanced DLP doesn’t require administrators to intervene to update and evolve. Unlike static DLP rules, which are programmed in by an administrator, advanced DLP learns from senders’ behaviours and the decisions they make, building a far more expansive safety net for misdirected emails than the older technologies can provide.
This is the type of technology we are pioneering at Egress, alongside other functionality that also ensures the right level of protection (encryption) is applied to emails that contain sensitive data as they are sent over the internet.