Few words can make your heart sink faster than, “Hey, I think this message was meant for someone else.” And it’s one thing when a personal text message winds up in the wrong hands because “Mom” happens to be next to “Monica” in your contacts, but it’s quite another when it happens at work. As both regulatory bodies and organizations themselves become more serious about data protection, the consequences of accidentally leaking data—most commonly through misdirected emails—can be much more serious.
Fortunately, organizations are beginning to realize the extent to which this problem affects them. Over 70% of executives believe their organization has experienced an accidental internal breach within the past five years. Almost half (44%) think this happens when using company email accounts. The connection between these two statistics is clear, and has led to increased recognition for a new and necessary layer of cybersecurity: human layer security.
Email remains remarkably vulnerable
The rise of business email compromise (BEC) attacks has highlighted the vulnerability of email. BEC attacks prey on employees who are distracted, or unobservant, or just plain busy by impersonating a manager or company executive and asking them to do any number of things ranging from filling an invoice to providing administrative network credentials. The perpetrators of BEC scams understand how to make their messages look legitimate, and most people don’t thoroughly scrutinize every email they receive. These scammers only need to be successful once to see a potential payday—or to infiltrate a network.
The prevalence of BEC attacks clearly illustrates the risk posed by erroneous emails. The FBI has issued multiple warnings about these scams, with losses from BEC attacks now totaling over $26 billion. Regulatory and governmental bodies have begun to take notice, as well—email security factors heavily into the new California Consumer Privacy Act (CCPA), which carries heavy penalties for noncompliance. With other states beginning to follow in California’s footsteps, implementing ways to better secure data shared by email has become a high priority for organizations.
Human-layer security produces encouraging results
They say the first step toward solving a problem is admitting you have one, and organizations are definitely beginning to recognize the threat posed by these accidental employee breaches. In fact, it’s a top-three concern for security decision makers, with nearly half of respondents listing it as a high priority, and corporate and personal email continuing to be the leading applications behind accidental data leaks. The fact that organizations have been able to identify these weak points is encouraging.
Now that the problem has been recognized, it’s time to address it. Increased use of encryption is an important first step, and the growth of human layer security has proven to be a real difference maker in the fight against accidental breaches. The rise of intelligence technologies like contextual machine learning have given defenders a new weapon that can not only help prevent potential breaches, but empower employees to correct their own mistakes before they happen.
As many as 44% of employees admit that they may have accidentally leaked confidential information via email, but not every incident is reported to the security team. Whether from fear of punishment, reputation damage, or other consequences, many are likely to keep what seems like a minor mistake to themselves. Unfortunately, this type of incident underreporting is how the price tag for BEC scams has risen to $26 billion. Contextual machine learning changes this by learning what “normal” behavior looks like for an employee—which is to say, it learns who they commonly exchange emails with and what they discuss, etc.—and flags potentially anomalous behavior (such as sending privileged information to an unrecognized email address) to the employee, giving them the opportunity to fix their mistake before it even happens.
The human layer is about more than security—it’s about trust
The penalties prescribed by CCPA for failing to appropriately protect data are steep, with a fine of up to $2,500 levied for each violation—which is counted as each individual whose data is compromised. In today’s world, the number of people affected by a given data breach can number in the millions, which means the financial penalty alone can be staggering. This is before even taking into account the other damage—reputational and otherwise—caused by the attack. And while no system is perfect, the rise of human layer security has given organizations a critical new way to not only protect themselves and ensure regulatory compliance, but foster a culture in which employees feel trusted and empowered to self-correct even the simplest of mistakes.