London - 21st October 2020 - For the second quarter running, the ICO's latest security trends report shows that misdirected emails are the top cause of reported incidents, and led to 44% more incidents than phishing attacks.
The data also continues show that human-activated security incidents - caused when people interact with sensitive data - pose major risk to organisations. Categorised by the ICO as ‘non-cyber incidents’, the top three for Q1 2020/21 (April - June 2020) were:
- Data emailed to an incorrect recipient
- Data posted or faxed to an incorrect recipient
- Failure to use Bcc
Misdirected emails are the biggest risk to data - and lockdown is only amplifying this
As every employee uses email to send and receive sensitive data, users adding incorrect recipient(s) or attaching the wrong file(s) was the leading cause of security incidents even before national and local lockdowns were implemented in response to the COVID-19 pandemic. The ICO's Q4 2019/20 (January - March 2020) report again showed misdirected emails topping the list for security incidents reported, at a 25% increase from the previous quarter.
As part of the recently published 2020 Outbound Email Security Report, one-in-two CISOs stated their organisation had experienced an increase of more than 50% in outbound email traffic. This increase in volume has naturally led to an increase in surface area for risk. What's more, when thinking about previous incidents, CISOs reported employees were more likely to put data at risk when working remotely, and when they are tired and stressed, meaning the pandemic is heightening risk on numerous fronts.
Egress CEO Tony Pepper commented on the news: “Misdirected emails are the UK’s number one cause of reported security incidents – so it comes as no surprise that they once again top the ICO’s list for reported data security incidents in Q1 2020. However, what may come as a shock to many is the sheer scale of the problem with the ICO’s data revealing it to be a 44% bigger risk than phishing attacks.
"Everyone has access to email and while organisations often focus their efforts on defending inbound attacks like phishing and other malware, the reality is that human-activated outbound email risk is the major cause of security incidents. I have no doubt that when the ICO reveals its statistics for Q2 2020/21, remote working during the COVID-19 lockdown will only have amplified the number of misdirected emails as organisations reliance on email as a critical communication tool during this period will have exacerbated the problem."
The tip of the ice berg
With most CISOs (62%) relying on people-based reporting to uncover outbound email security incidents, the true scale of the problem has yet to be realised in many organisations. While security teams should always encourage people to report incidents, they shouldn't rely on it. In the case of outbound email, people firstly have to realise that the incident has taked place, secondly have the awareness to know sensitive data has been put at risk, and finally possess the willingness to come forward. This latter factor is directly impacted by the repercussions for security incidents. Again, the 2020 Outbound Email Security Report showed that only one-fifth of incidents didn't impact the employees involved - with the vast majority of individials being formally disciplined (46%) or even fired (27%).
Pepper continues: "What is potentially more concerning is that the true size of the misdirected email issue could be even more damning than is conveyed by the ICO’s data. Our recent research showed that 62% of organisations rely on people to report outbound email data breaches (including sender, recipients and colleagues). This is an incredibly risky strategy, as many individuals will not have reported incidents at all because they’re unaware they’ve happened or due to fear of repercussions.
"What remains clear is that it is up to organisations to get on the front foot with solving this problem, looking to intelligent email security that uses the latest in contextual machine learning to detect mistakes and prevent breaches before they happen – enabling employees to work both more productively and securely.”
Read the ICO's report
Click here to access this data on the ICO's website.