People are highly reliant on email, particularly for sharing sensitive data, which comes with growing risks. Our 2020 Outbound Email Security Report reported that 93% of organizations suffered email data breaches in the last 12 months. And while it's common to focus on threats outside the organization, insider risks are an even bigger challenge.
Here's a closer look at why your people are your greatest vulnerability and how you can protect sensitive data from being hijacked before it reaches its destination.
Risks of human error
According to the ITRC's 2021 Annual Data Breach Report, the most common mistake resulting in a data breach is emailing sensitive information to the wrong person. When confidential data is accidentally sent to someone externally, you’re suddenly dealing with a serious data loss incident.
For example, in May 2020, a team member at Serco, an outsourcing company, accidentally CC'd instead of BCC'ing almost 300 email addresses. Unfortunately, the emails belonged to newly recruited COVID-19 contact tracers, which put confidentiality at risk and could leave the firm under investigation by the ICO.
Risks of deliberate exfiltration
Whether accidental or malicious, insider threats are one of the top causes of data exfiltration. One example is Anthem Health Insurance. Over nine months, one of their staff members forwarded 18,500 records containing sensitive information to a third party.
In another breach, a GE team member exfiltrated over 8,000 files containing sensitive data in the hopes of setting up a rival company. And then there's Amazon which emailed customers on three occasions to inform them that an insider disclosed their personal information to a third party.
Benefits of encrypting attachments
When sending an email, you should feel confident that the information arrives at its destination safely. Some of the benefits of encrypting attachments include:
- Privacy: Emails often contain sensitive information like credit card numbers and personally identifiable information (PII). Encryption can prevent this data from falling into the wrong hands.
- Cost savings: Depending on how your email encryption is set up, it could save you money. For example, if you use an email provider with encryption integrated into the server, you won't have to purchase another for encryption purposes.
- Compliance: Many highly regulated industries have compliance guidelines that require encryption. However, even if it is not required, encrypting PII can reduce legal exposure in the event of a breach.
How email encryption works
The two main protocols used for encrypting emails are Transport Layer Security (TLS) and end-to-end email encryption.
- TLS encryption: Providers like Microsoft and Google use TLS to stop emails from being read in transit. TLS prevents emails from being read after they are sent but before they are delivered. While TLS provides strong protection, emails are only secure when they move from sender to recipient.
- End-to-end encryption: End-to-end encrypted emails are secured at every delivery stage and can't be read by email servers. This method uses keys to secure email. First, the sender encrypts messages using the recipient's public key. Then, the recipient decrypts the message using a private key.
How to send secure attachments in Gmail and Outlook
Gmail has a confidential mode feature that can help you protect sensitive attachments. Once you turn confidential mode on, enter the email expiration date and whether you would like SMS verification from the recipient. Then compose and send the email as usual. If you've enabled the SMS option, you'll have to input a phone number. While confidential mode is a useful feature, it's important to note that it still has security and usability limitations.
For outlook, there are three ways to send a secure email:
S/Mime encryption
S/Mime encryption can only encrypt emails when the sender and the recipient have installed and shared their encryption certificates. In addition, S/Mime is costly, not widely supported, and vulnerable to outside attacks because people need to exchange encryption keys. If the key is compromised, your emails are no longer secure.
Office 365 message encryption
Office 365 Message Encryption (OME) is an exclusive option for Office 365 email account holders. It also requires the recipient to carry out several extra steps each time they receive a new message—like requesting a unique code and using that code to decrypt the email.
Outlook encryption add-ins
Outlook Encryption Add-ins allow for secure emails to be sent to any colleagues. This method does not require any installation, setup, or sign-in on the part of the recipient and is also probably the most cost-effective option.
Insider risk is your most complex security challenge. Ultimately, the safest and easiest way to implement email encryption is through a solution like Egress Protect, which intelligently applies security in proportion to the risk of a data breach.
Contact us to learn more about how we can secure the human layer and turn your biggest vulnerability into your greatest defense.