How a zero-trust model can help prevent email data breaches

Email security

Email data breaches are on the rise, with 93% of organisations experiencing an incident within the last 12 months. Could applying a zero-trust approach to email security be the key to keeping businesses safe?

We invited Joseph Blankenship, VP, and Research Director at Forrester to a webinar with Sudeep Venkatesh, Egress Chief Product Officer, to discuss just that. Joseph’s research focuses on security monitoring, threat detection, insider threat, and phishing prevention. Sudeep is a resident Egress expert on data protection with two decades of industry experience.

Taking a zero-trust approach is often seen as a key principle of keeping data safe – it acknowledges that everyone poses a risk to sensitive data including staff within a business. However, applying a zero-trust model inherently requires you to verify a user’s every move and this creates friction.

The key question is can the use of machine learning ease these tensions and make the applying of zero trust models non-intrusive and seamless?

Why can’t we trust insiders?

Human-activated threats are surging. However, a zero-trust approach doesn’t mean treating employees with suspicion. It simply acknowledges that anyone is capable of making a mistake, being exploited, or breaking the rules.

During the webinar, Joseph walked through some data from Forrester research. They had discovered that 39% of internal data breach incidents were the result of inadvertent misuse or accidents. This was backed up by the experiences of our webinar attendees in a poll. We asked them which kind of breaches were the most prevalent and the winner by a long was ‘sending to the wrong recipient.’

Misdirecting email is easy. When we mix up colleagues with similar names internally, this isn’t usually a big deal. But if sensitive information is leaked externally, this can have serious ramifications. Email data breaches can originate externally too – in the form of phishing. However, this still needs internal human error for an attack to work.

A perfect storm for phishing

Current phishing attacks are more sophisticated than ever and look very real. Anyone can fall victim to phishing attempts – even savvy security professionals. Especially when they’re rushing or stressed.

Cybercriminals have been quick to exploit the stress and uncertainty of the pandemic for gain. There’ve been attacks against newly deployed remote workforces using subjects of COVID-19 and vaccines for a lure.

Remote working has created a chaotic environment for some people, with frequent distractions and lack of a dedicated workspace. Many have their mood and morale affected by the pandemic. Add mobile working into the mix, and people are more susceptible than to phishing than ever.

Is it really fair for the whole burden of spotting phishing attacks to be put on users? Especially when people haven’t been trained to catch sophisticated attacks? The same argument could be made about asking employees to double or triple check their email recipients and attachments.

Technical controls are needed as a guardrail to protect employees against both phishing and accidental email data loss.

Applying zero trust to email DLP

Joseph explained that we need to change our trust relationship with email. A zero-trust model is needed to protect both users and data. This kind of approach questions every user – who are they? What should they have access to?

Applying zero trust to email can protect users from phishing and ensure outbound communications are going to the right recipients. However, if this kind of approach is going to work, it needs to be user friendly. We don’t want to create admin overhead and usability issues.

According to Forrester research, 36% of people who broke security policy said they did it because it’s the most efficient way of getting their work done. 30% said they did it because security policies were too strict or unreasonable.

Enhancing user experience through technology

Sudeep explained to attendees that advancements in technology meant vendors can now apply zero-trust controls in the background without creating additional admin or disrupting the user. Solutions such as Egress Prevent and Protect use contextual machine learning to build up an understanding of how people work and who they communicate with.

Egress Prevent does this in an intelligent way, prompting users and asking them whether they’re sure they want to send sensitive information to someone they haven’t spoken to before, or wouldn’t normally send that kind of data to.

In a similar way, Egress Protect automatically applies the right level of encryption and offers gentle prompts when unsafe behaviour is detected. This removes friction for the user, rather than bombarding them with the prompts and rules associated with traditional DLP.

Good intelligent security can actually enhance employees experience by removing the burden of decision making. Employees can enjoy a seamless experience on whatever device they’re using, knowing security is there and enforced.

Joseph’s final reflections from the webinar were that it might never be possible to stop every phishing attack reaching the inbox. But we can raise the bar so high that attacking becomes so difficult, it’s barely worth the reward.

If you’d like to watch the webinar, you can see the full recording on demand here.