Misdirected email incidents rise by over 50%, ICO report reveals

| 10th Dec 2020

London – 10th December 2020 - For the third quarter running, the ICO's latest security trends report shows that misdirected emails are the top cause of reported incidents, and led to 55% more incidents than phishing attacks.  The statistics also showed that the total number of incidents reported between July – September 2020 increased by 79% compared to the three months before. As remote working continues, the risk to personal data is clear.

The data also continues show that human-activated security incidents - caused when people interact with sensitive data - pose major risk to organisations. Categorised by the ICO as ‘non-cyber incidents’, the top three for Q2 2020/21 (July - September 2020) were:

  • Data emailed to an incorrect recipient
  • Data posted or faxed to an incorrect recipient
  • Loss/theft of paperwork or data left in insecure location

Once again, misdirected emails are the biggest risk to data

While reported data breach incidents rose overall, surging by nearly 80% on the previous quarter, one thing remained the same:  the biggest single cause of reported incidents was misdirected email. In fact, the number of incidents caused by employees sending data to the wrong recipient over email increased by over 50% on the previous quarter.

As part of the recently published 2020 Outbound Email Security Report, 94% of organisations reported an increase in outbound email volumes due to Covid-19 and remote working. This has naturally led to a larger surface area for risk. What's more, CISOs also reported employees were more likely to put data at risk when working remotely, and when they are tired and stressed, meaning the pandemic is heightening risk on numerous fronts.

Egress CEO Tony Pepper commented on the news: “The ICO’s statistics show that reported security incidents have surged by 79% since Q1 2020 (April - June), and highlight the full impact of remote working on security.

With remote working causing increased reliance on email as a way to communicate personal data, it's no surprise that misdirected emails remain the UK’s single biggest cause of reported security incidents in Q2 2020. Although incidents such as phishing and malware tend to grab the headlines, the sheer scale of the risk involved with outbound email is clear, with the ICO’s data revealing it to be a 55% bigger risk than phishing attacks.

With our research finding that 93% of organisations have suffered an email data breach in the last 12 months, this data highlights the ongoing need for organisations to remain hyper-vigilant when it comes to mitigating insider security risks, particularly during this pandemic. It’s high time that organisations take proactive steps to put the right security strategies and technologies in place to provide a safety net for their employees, particularly as they use email - a fundamental business communication tool.”

Healthcare, finance and legal have cause for concern

The ICO’s statistics show that the top five sectors reporting misdirected email incidents are:

  • Education
  • Healthcare
  • Finance
  • Legal
  • Local Government

For the healthcare sector, misdirected email incidents rose by 217% on the previous quarter, presenting a 151% bigger risk than phishing. The healthcare industry has made security headlines throughout the pandemic, as it faces an onslaught of COVID-related phishing attacks. As well as protecting employees from external sources of risk, it’s clear these organisations must also provide a safety net for inadvertent outbound data leaks to keep patient data safe.

Read the ICO's report

Click here to access this data on the ICO's website.

About Egress

As advanced persistent threats continue to evolve, we recognize that people are the biggest risk to organizations’ security and are most vulnerable when using email.

Egress, a KnowBe4 company, is the only cloud email security provider to continuously assess human risk and dynamically adapt policy controls, preparing customers to defend against advanced phishing attacks and outbound data breaches before they happen. Leveraging contextual machine learning and neural networks, with seamless integration using cloud-native API architecture, Egress provides enhanced email protection, deep visibility into human risk, and instant time to value.