Industry news

Misdirected emails are top cause of UK security incidents

London - 28th May 2020 -The Information Commissioner’s Office (ICO) latest report on data security incident trends shows a pronounced uptick in human-activated incidents. Categorised primarily by the ICO as ‘non-cyber incidents’, these are caused by people’s behaviour putting data at risk, with the top three for the Q4 report:

  • Data emailed to an incorrect recipient
  • Data posted/faxed to an incorrect recipient
  • Loss/theft of paperwork or data left in an insecure place

Misdirected emails are a bigger security threat than phishing

Data emailed to incorrect recipients – more commonly known as ‘misdirected emails’ – was the number one cause of categorised incidents reported to the ICO in the timeframe. Data breaches resulting from misdirected emails are a global and ubiquitous problem: everyone has access to email, and while organisations often focus on how it can be exploited for inbound attacks like phishing, the ICO’s statistics show that ‘inadvertent insiders’ making mistakes are actually a far greater risk:

Misdirected emails accounted for 20% more reported incidents than phishing attacks (the second highest cause of incidents in the Q4 report) and this is a problem that has grown by 25% since Q3 2019.

What’s more, remote working during the COVID-19 lockdown has only amplified this issue. At Egress, we have seen an average 23% rise in email usage, as organisations rely even more heavily on it as a critical business communication tool. Alone, this increases the risk of someone sending an email to an incorrect recipient or attaching the wrong document – and we must add to this the disruption caused by working from home, whether that’s using mobile devices or laptops with smaller screens, or working later into the evening to accommodate daytime childcare or other commitments.

Healthcare, legal and financial services have cause for concern

The ICO’s statistics show the top five sectors reporting the most security incidents are:

  • Healthcare
  • Education
  • Legal
  • Financial Services
  • Local Government

Again, we see from the report that human behaviour has a significant impact on data breach incidents in all these sectors, which are trusted with confidential personal data on behalf of their clients and service users.

For healthcare, legal, financial services and local government, the top three categorised incidents are: misdirected emails, posting or faxing data to the wrong recipient, and loss or theft of paperwork. Only in the education sector do phishing attacks rank as the second highest cause of breaches, behind misdirected emails.

As well as emailing the wrong recipients, organisations’ continued reliance on fax and post to share sensitive data remains a concern – especially in healthcare organisations, where faxes have been outlawed for the NHS by Health Secretary Matt Hancock. It’s clear that all organisations must find a solid route to secure digitisation, particularly in the current climate in which reliance on fax and post can’t be effectively sustained due to social distancing.

Secure digitisation must become the priority

The UK and the rest of the world remain in a state of flux due to the COVID-19 pandemic. But throughout all industries, this is also proving to be a time of revolution for secure digitisation. Large-scale remote working and social distancing are forcing organisations to re-examine established processes, providing opportunity for innovation that leads to improved security, efficiency and cost-effectiveness.

The findings from the ICO’s report focus this process. In all possible scenarios, paper-based processes must be digitised. Then the latest in intelligent technologies, like contextual machine learning, can be overlaid to provide a safety net that detects when human behaviour is about to put data at risk – for example, by spotting incorrect recipients in an email and alerting a user before they hit ‘Send’.

It is imperative that organisations take this opportunity for secure digitisation – to ensure better data protection for citizens, as well as operate with maximum efficiency in the times that are ahead.

Read the ICO's report

Click here to access this data on the ICO's website. 

About Egress

As advanced persistent threats continue to evolve, we recognize that people are the biggest risk to organizations’ security and are most vulnerable when using email.

Egress is the only cloud email security platform to continuously assess human risk and dynamically adapt policy controls, preparing customers to defend against advanced phishing attacks and outbound data breaches before they happen. Leveraging contextual machine learning and neural networks, with seamless integration using cloud-native API architecture, Egress provides enhanced email protection, deep visibility into human risk, and instant time to value.

Trusted by the world’s biggest brands, Egress has offices in London, Sheffield, Cheltenham, New York, Boston, and Toronto. In April 2024 KnowBe4, the provider of the largest security awareness training and simulated phishing platform, entered into a definitive agreement to acquire Egress.