Email Unsafe for Transferring Sensitive Files: How COVID Made it Worse
By Doug Barney, Tech Evangelist, Progress
Remote work has increased email security vulnerabilities, exposing files in transit.
The Human Factor 2021 Report found that COVID and remote work increased the vulnerability of email, in particular privilege attacks. Data leakage likewise rose, with the sending of sensitive files and wanton file copying as key culprits.
The sad fact is that email, as insecure as it is, remains the predominant way confidential files are shared. Let’s take the legal market as an example. “In legal institutions, email can be an efficient and important conduit for conducting attorney-client communications. However, law firms can be caught between a proverbial ‘rock and a hard place’ with regards to this form of correspondence. While clients demand a simple way to work together, it is essential that electronic communication does not lead to security risks: i.e. someone other than the client or privileged third party obtaining confidential documents,” argued an article on LegalITProfessionals.com. “A recent study of law firms’ file sharing processes revealed that a minority of law firms are using security technology to protect electronic communications: email encryption (22%), password-protected documents (14%), use a secure file sharing site (13%).”
Email is far from reliable. How many times has your message been bounced back or stuck in the junk mail folder? What if you key in the wrong address? Now someone you don’t even know has those unannounced company financials and may well send them off to the competition. And how do you ensure your email and the attachment go to the recipient? Do you really rely upon return receipts? When was the last time that ever worked?
And email for file transfers is not scalable at all, as many email clients have file size limitations so you can’t send larger files anyway.
There are three big problems with email attachments – file interception, data leakage and compliance.
The Email Explosion
Did you know that an average business user sends out some 5,000 email attachments every year? “Around 306 billion emails are sent and received every day. In the corporate environment, about 25% of messages carry file attachments, or 76 billion messages,” the Why We Can’t Secure Our Data with Business as Usual blog noted.
That is a lot of information that can be waylaid, sent to the wrong person (or even an entire distribution group!), and passed along to others who have no right to see them.
And when businesses shoot around attachments willy-nilly, there is real trouble. “Sending an email is like sending a postcard: Everyone or every system that handles it can see and record what was written. This is not a problem obviously if the contents are nothing of interest or importance. It is a big problem, however, if the contents include sensitive data, such as banking details, network passwords or customer data,” argued TechTarget.
These attachments are wide open. “Each of those 17,000 files per user per year is readily accessible to whoever has a copy of the email, and that includes the hackers who breach the email system, backup servers, a misplaced device, PST file, etc. — whether in your organization or any organization you communicate with,” the Why We Can’t Secure Our Data with Business as Usual blog said. “Furthermore, given that email attachments provide no possibility of revocation after being sent when systems are breached, valuable corporate content sent years before is still there.”
Marketing Technology News: MarTech Interview with Tom Libretto, Chief Marketing Officer at Workhuman
The Massive Attachment Attack Surface
In a Ponemon survey of 830 IT, security, and compliance pros, half said that improper handling of email by workers was the biggest data leak cause. Misuse is the key problem, as 69% of respondents said workers violate company security policies, and too often transfer confidential data through email without sufficient security, often using personal web-based mail accounts to make the transfers.
Mistakes are another big problem, as 63% of those polled said employees sent confidential information to folks outside the workplace – by mistake!
Email is “such a significant tool that employees are inclined to circumvent policy and email sensitive information, so they can effectively perform their responsibilities in a timely manner,” Larry Ponemon, chairman and founder of the Ponemon Institute, told eWeek .
Osterman Research, another noted security authority, separately found that 20-25% of messages include attachments, and attachment-laden messages constitute a full 98% of all data sent by email. The result: 75% of a company’s intellectual property is held in either email or related attachments. That’s your crown jewel.
The People Problem – Human Email Error
You’ve heard tales of someone (maybe it was you) sending a nasty email to a co-worker, only to find it went to your boss – or your entire department or company. These mistakes happen more than you might think, with some recent findings revealing that a third of people confessed they’ve accidentally sent mail to the wrong person. If the email has sensitive information, that right there is a breach.
Email sent to the wrong person(s) is particularly painful for some highly regulated industries. According to the UK’s Information Commission Office, which protects information rights, “misdirected emails accounted for 20% more reported incidents than phishing attacks. The ICO’s Data Security Incident Trends Report further argues that ‘data emailed to incorrect recipient’ was the leading cause of non-cyber-related security incidents for businesses in the finance, insurance and credit sectors.”
In the financial sector, laden with sensitive personal and financial data, email missteps continue to cause havoc according to the esteemed 2021 Verizon Data Breach Investigations Report. The “sending of emails to the wrong people, represents a whopping 55% of all Error-based breaches (and 13% of all breaches for the year),” Verizon found.
For File Transfers the Easy Way Out is Not Usually the Best Solution
Email is always the easy route for file sharing as many of us literally live in our email application during the workday — which in these days of remote work often turns into the work night. “Sharing sensitive or confidential files with other people can be a challenge. Email is typically the most convenient option. But by default, email is not secure. On their own, your emails are neither encrypted nor authenticated in any manner, which means that people beyond you and the recipient can potentially access and read them,” argues TechRepublic in its Many People Using Email to Share Files Despite Lack of Security blog.
TechRepublic referred to a UK/US-based survey of file sharing practices which found that 58% of US respondents and 56% of UK-based users rely on email as their most prevalent method of sharing files. Meanwhile, 35% use cloud services for file sharing. Just 10% use an actual file transfer service.
Email and File Encryption
Regulated industries have rules for encrypting data sent by email, and to avoid fines and reputation-crushing bad publicity, tend to adopt some encryption solutions. However, encryption for regulated and non-regulated organizations is far from what it should be. “While regulatory compliance remains the biggest driver for deploying email encryption, 84 percent of survey respondents said they don’t know what information needs to be encrypted. Of the organizations without email encryption, more than half, or 67 percent, were unaware there are regulations governing how sensitive information should be sent over email,” the eWeek story said.
Many Understand the Problem – but Haven’t Solved it
Companies themselves tend to understand email risk but haven’t adopted a better solution. A recent email security report demonstrates the fear. “More than two-thirds (70%) consider it likely (39%), extremely likely (26%) or even inevitable (5%) that an email-borne attack will damage their business sometime during 2021,” found the State of Email Security Report (SOES). “This is up sharply from 2020, when only 59% of SOES survey respondents felt that was the case. Even more significantly, at those companies where the use of email rose during the past 12 months, the portion of respondents who saw an email-based attack as likely or inevitable rocketed to three-out-of-four (75%).”
The answer is to demand that sensitive files be encrypted, and their journeys tracked and audited.
Marketing Technology News: CDP Trends that will Drive Marketing through the Rest of 2022