Why Email is the Biggest Security Vulnerability of All

A Security Threat Hiding in Plain Sight

There’s been a lot of buzz around remote work and securing enterprise collaboration tools like Microsoft Teams and SharePoint from data loss, and for good reason. However, email which is arguably the oldest and most commonly used collaboration and communication tool, can be just as big a threat when it comes to data loss and breaches caused by employees or ‘insiders’. A recent Forbes survey found that nearly half (47%) of IT leaders said email is the threat vector they’re most concerned about protecting when it comes to data loss prevention. So, how big the threat and what can be done to ensure email data loss prevention?

Why Email is the Weakest Link

We use email every day to communicate with our colleagues and third parties to provide updates and share ideas, as well as collaborate on documents, spreadsheets, and more. However, the consequences of sending an email to the wrong person can be dire. Once you hit send you can’t retrieve it or track where else it goes once the recipient gets a hold of it. These are the top three ways data leaves the company via email according to Forbes:

1. Sending Email to the Wrong Person

We’ve all had that ‘Oops’ moment when we realize we selected ‘Chris’ instead of ‘Christine’ and hit send. Surprisingly, it’s simple errors like this that actually pose one of the biggest threats to data security. Misdelivery (documents and email that ended up with the wrong recipients) was the fourth most common action associated with a data breach according to Verizon’s 2020 Data Breach Investigations Report. There can be serious consequences for an innocent slip of the keyboard. For example, a misdirected email that contains personally identifiable information (PII) that can be accessed by an unauthorized recipient is considered a data breach under GDPR and other data protection regulations around the globe.

2. Sending Email to Personal Accounts

The shift to remote work has resulted in employees downloading a lot more data to personal accounts and devices to simply get their work done. A recent survey found a 49% increase in email attachments and 123% increase in data being copied to USB drives with 74% of that data marked as “classified” since the pandemic began.

While this may not be malicious activity, employees are underestimating the consequences of sending sensitive data to personal email accounts. Depending on the nature of the data, this act alone can constitute a data breach.

Not to mention you wouldn’t want intellectual properly or other material company information being stored in an employee’s personal email account, cloud share or device that is probably not as secure as corporate sanctioned accounts and systems, and is impossible to track and manage.

3. Malicious Users Stealing Data Via Email

While in many cases email data loss is accidental or due to negligent behavior, unfortunately there are people who use email to steal company data for personal gain. In these instances, the stolen data is used for business advantage and taken with them to a new job, to start their own competing business, or handed over to a foreign government or organization. Our last blog, Five Risky Misconceptions About Intellectual Property Theft, detailed several real-world examples of insider IP Theft.

Email is the perfect vehicle for insider data theft because when an employee emails themselves a document, all its permissions are removed when it is attached to the email. So, for example, if the malicious employee’s access permissions on the file share, SharePoint or Teams is View/Read only, once the email is received, the user now has full control over the attachments so they can save, edit, print it, etc.

It also opens up another security vulnerability as the email and its attachments will remain in the user’s “Sent Items” in Exchange. This enables any administrator to look at the documents even though that same administrator does not have access/visibility to that document in the file share, in SharePoint or Teams. There are well documented cases of snooping admins that lead to serious breaches (think Snowden).

It’s far too simple to simply email yourself a document without anyone knowing – unless the business has preventative measure in place.

The Types of Data that Pose the Biggest Risk

While each organization is different, sensitive data or information that falls into one of these 3 categories can have significant consequences for the business and your bottom line if accidentally shared or stolen via email:

• Personal Data – This is not limited to personally identifiable information (PII) and Protected Healthcare Information (PHI) but also includes HR information, biometric data, etc. If breached it is often subject to regulatory and legal penalties.
• Business Data – Trade secrets, acquisition plans, financial data, supplier and customer information, etc. that are critical to the business.
• Classified Data – Most often used by government, classified data is restricted according to its level of sensitivity (for example, restricted, confidential, secret and top secret).

Email Data Loss Prevention Tips

If you have legal, regulatory, or contractual requirements to prevent data loss or if you just want to retain your company’s intellectual property and business-critical information (like customer account lists) be sure to protect email from insider threats. Make sure that you’re properly training your staff on email policies and have a data loss prevention solution for email (and your other collaboration tools) in place to protect email from insider threats, just as you do for external threats lurking in email such as phishing links, malware and ransomware.

Protect your sensitive data and IP from accidental data loss and malicious users, with these advanced information protection capabilities from NC Protect to automatically:

1. Encrypt sensitive email attachments
2. Block email attachments that contain sensitive data
3. Replace attachments with a link to a URL that requires the recipient to authenticate.
4. Force viewing of sensitive documents in a Secure Reader to prevent saving, copying and/or printing.
5. Apply personalized watermarks that containing information about the user to deter photographing and leave a digital thumbprint in case of theft.
6. Stop admins from viewing documents sitting in the sent folders of other users.

Email is an essential business tool for communication and collaboration. The key is to balance the collaboration benefits with the right security tools to ensure that information isn’t accidentally shared or deliberately removed via internal threat vectors.

Learn more about NC Protect’s advanced information protection capabilities for email and other collaboration tools.