Preventing email data loss in Financial Services – without disrupting business

We recently hosted a webinar to explore how and why risks originate as employees use email to share data, and what we can do to protect businesses in the future.

Egress CEO Tony Pepper was joined by Zsuzsanna Berenyi, Head of Cyber Security Awareness and Culture at the London Stock Exchange Group (LSEG) who shared her views on the ‘human factor’ behind email data breaches and the impact they can have on firms, as well as the risk landscape for a future of flexible working.

Human-activated breaches are common

Research from Egress has shown that 83% of organisations across all industries have experienced a data breach in the past 12 months. We also found that 91% of FS organisations had reported an increase in outbound email traffic during the pandemic.

During the webinar, Tony explained that the top three causes of data loss all come from human-activated errors: selecting the wrong email recipient, attaching the wrong document, and clicking on targeted spear phishing attacks. All of these incidents could have severe consequences in tightly regulated industries such as FS.

It’s likely that everyone will have accidentally received an email not meant for them at least once. Zsuzsanna told attendees about a recent personal experience where she had received a file with sensitive information. She let the sender know and then deleted the file – but it posed a question: would someone else have done the same for her?

It’s a problem on many IT leaders’ minds. They’re working hard to assess where the risks are in their supply chains and asking partner organisations what kind of technical controls they have in place. Egress findings back this up – 68% of FS organisations have seen an increase in clients asking whether they have email data loss prevention (DLP) tools in place over the past 12 months.

Securing a remote workforce

The business world has shifted to a digital-first strategy over the past year. More content and data is being shared digitally than ever before through email, file sharing and collaboration tools, and chat applications such as MS Teams. So how do we stop a rising tide of data loss in a remote-first world?

There’s still some debate among FS firms about exactly what the workplace will look like post-pandemic. But with data suggesting 67% of professionals expect to remote work after pandemic restrictions lift, remote working is likely to stay here in at least some respect.

Working from home comes with its own challenges. People may have families or house/flatmates around, as well as other potential disruptions or distractions. Some might even be working longer hours than when they worked in the office. Zsuzsanna advised that businesses need to understand what employees are going through, while also keeping security in mind when it comes to digital communications.

She went into detail about some of the questions that businesses need to ask with a more distributed workforce. Are remote employees’ personal devices secure? On top of that, are their routers and passwords secure? VPNs alone are not enough – it’s about securing the whole home network.

Zsuzsanna added that there is only so much you can do with technology or training alone. The approaches need to be merged to keep employees both secure and productive. Once employees understand how the technology works and why it benefits them, it will be more effective.

But is the technology out there up to scratch?

Traditional approaches are disappearing

The traditional security approach was to protect the network and application layers. Now, according to Tony, it’s about providing a layer of protection around the human layer: “Phishing is so much more targeted and complex now – even more so than 18 months ago. Can you honestly be certain whether emails are genuine. And how confident are you that you have the defensive tools in place?”

Egress data has shown that many IT leaders don’t have confidence in traditional DLP tools, with 42% of CISOs not trusting their tools to catch even half of their security incidents. Worryingly, many organisations also rely exclusively on self-reporting. This depends on employees knowing they’ve caused a breach in the first place, and then choosing to report rather than keeping quiet and hoping it goes away.

With severe consequences for data breaches in the heavily regulated FS industry, there’s always a chance employees are scared to report leaks – especially if they believe will be demonised for their mistake. So how do FS IT leaders get on the front foot?

Zsuzsanna told webinar attendees that it’s important to embed the right behaviours into a culture alongside technology: “If an employee feels trusted, they’ll feel the responsibility to report and that they’ll be okay. We need to align security requirements with values.”

Building a trust-based culture

Business need to create an environment where technology can mitigate security vulnerabilities, while allowing employees to remain productive. They can do this by making intelligent email DLP technology and training work together.

Tony explained that when organisations engage with employees and educate them, they can help people to do the right thing and avoid both everyday mistakes and targeted attacks. He said that the pandemic had forced organisations to look at their business models and innovate, rather than stick with what they’ve always done. And email security is no different.

Traditional DLP tools on the market haven’t helped in this regard. Now is the time to invest in Intelligent Email Security that can solve the problem of complex human-activated security incidents. It offers a guardrail to employees, creating a culture where it’s ‘okay to make mistakes,’ and they can trust in the technical safety features wrapped around them.

If you want to watch the full webinar, you can find the recording here – on-demand and available to watch whenever you like.