Avoiding Email Data Security Breaches

Pause for a second and take advantage of another pair of eyes!

|
|
PUBLISHED on
5 Oct
2022

For all of us, email can be both a blessing and a curse.  On one hand you have the speed and convenience of communication and an audit trail, and on the other hand you have a significant information security risk.  In recent years, a number of large Information Commissioner’s Office (ICO) fines have arisen due to simple human error in relation to email communication.

What are Some of the Email Risks?

There are a range of risks attached to email communication, one of the biggest involving emails containing personal data being sent to the wrong email address.  This could be the result of a number of factors including:

  • A typo in the address held for the person on the organisation’s CRM database
  • Transcription error by the sender
  • The sender incorrectly selecting another addressee suggested by the email system’s autofill predictive text feature
  • Accidentally including other recipients of the email in the ‘cc’ line (i.e., visible to all) rather than ‘bcc’ (‘blind copy’).

There is also the risk of an individual forwarding an email which contains sensitive information within the email trail.

Such errors are greatly amplified when the contents of the email contain highly sensitive personal data, for example, ‘delicate’ medical information.  The results of such apparently ‘simple’ oversights can be catastrophic, both for the individuals concerned and the sender organisation.

How Can We Reduce the Risks?

There are, of course, technological solutions which organisations can deploy to minimise the risk of staff members causing ‘email’ data breaches.  For example, where the email system identifies an unfamiliar email address in the ‘To’ field, before the email is sent.  However, while these tools may pick up a database typo or an incorrectly addressed email, they do not address the other types of misdirected email risks, e.g., the mistakenly clicked-on autofill or the use of ‘cc’ instead of ‘bcc’.  In other words, the addresses in themselves are perfectly valid, but the sender has inadvertently entered them in the wrong email, or in the wrong line on the right email.

Need for ‘People’ and ‘Process’ Controls

Where technology cannot eliminate a risk, organisations must concentrate their risk reduction measures on the other two elements of organisational risk management, i.e., ‘people’ and ‘process’.  This can be achieved through the delivery of training sessions where the goal is to instil the importance of users getting into the habit of pausing for a few seconds before pressing the ‘Send’ button.  Users should be encouraged to pause and double check that the recipient email addresses on their emails are correct (sometimes called the ‘check twice, send once’ approach).  They need to check that typos don’t result in messages being delivered to an unintended recipient, potentially leading to an unauthorised disclosure of personal data.  Users also need to be reminded to check full email trails to ensure there is no inadvertent disclosure of sensitive information or personal data within the trail.

Second Pair of Eyes

Some organisations, which regularly send emails containing sensitive personal information outside the organisation, have found it beneficial to institute a procedure (‘process’) for mitigating the risk of incorrect addressing, and which is often referred to as a ‘second pair of eyes’.  This involves an ‘appropriate’ colleague, perhaps the email writer’s line manager, checking the intended sender’s email, prior to sending, to ensure that all recipients are correctly specified and the appropriate ‘cc’ or ‘bcc’ line has been used.  Whether adopting such a ‘second pair of eyes’ protocol is feasible in your organisation will depend on such factors as the volume and frequency of emails containing sensitive personal being sent, the number of appropriate reviewers available and any other technical solutions used, for example, some automated email software packages allow bulk emails to be sent to individual addressees, removing the need to use the ‘cc’ or ‘bcc’ fields.

Satisfy GDPR Requirements

Principle 6 and Article 32 of the UK GDPR require organisations to implement appropriate technical and organisational security measures proportionate to the risk involved in their processing of personal data.  Taken together, these two simple but effective data risk reduction organisational measures, which could be summarised as ‘Take a second, or use a second pair of eyes’, could help your organisation meet the requirements for email security controls, sitting alongside your organisation’s email acceptable use policy.

Gain a sound grounding and practical interpretation of the GDPR and the DPA 2018!

By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
Thumbnail of the Blog Illustration
Data Protection
Published on
21/6/2022
When and How to Conduct a Data Protection Impact Assessment (DPIA)

A DPIA delivers a pre-emptive approach to assessing these risks, and can prevent a data breach occurring. We present an outline of steps in conducting a DPIA

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
14/12/2023
Information Commissioner’s ‘Today’ Interview 13/12/23

URM discusses an interview with the Information Commissioner, John Edwards, and the background of the penalty fine imposed on the Ministry of Defence (MOD).

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
25/7/2022
What is the Purpose of ISO 27701 and What Benefits Does it Bring?

The need for guidance on how organisations should best protect privacy and manage personal information has never been more pertinent.

Read more
I know many Cyber Essentials providers are rigid to the point of not understanding the goal of CE, but we haven’t found that with URM. We are extremely happy with the service we’ve received – our Cyber Essentials recertifications are always painless and straightforward. The different assessors we’ve had have all been great and pitch to the right level, as well as having an extremely strong knowledge of the subject matter. The account management side is also excellent. Our Account Manager checks in with us on a regular basis, and is very approachable and credible, with a comprehensive understanding of Cyber Essentials.
CISO at University of Surrey
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.