Remote working is putting data at risk. But it doesn't have to...

Egress CEO Tony Pepper advises how organisations can keep their data safe in the era of mass remote working

Email is the primary cause of data security incidents, specifically accidental and intentional exfiltration of data by employees. In fact, data emailed to the wrong recipient has been the top cause of security incidents reported to the ICO for the first six months of 2020, and in their most recent Data Security Incident Trends report (covering April - June 2020), misdirected emails outstripped the number of incidents reported from phishing by 44 per cent.

Egress' 2020 Outbound Email Security Report, released in September, drives home the risk even further, finding that 93 per cent of organisations have suffered email data breaches over the last 12 months - and these weren't standalone events: on average, organisations experienced an email data breach every 12 working hours.

For those working during the pandemic, one of the biggest changes brought about by 2020 has been the shift to full-time remote working. As the coronavirus pandemic emerged back in March, those of us who were able to, packed up our laptops and headed home, carrying out our daily work from kitchen tables and makeshift home offices. As the pandemic continues, it looks as though, for many, a return to the office could still be many months away. Working from home has presented a multitude of security challenges for IT leaders, who've worked hard to ensure employees have access to video conferencing facilities and VPN connections. However, it is impossible to ignore the increased security risk caused by such a significant upheaval in employees' working patterns.

Thanks to remote working, organisations are relying on email as a tool for communication more than ever before - which is really saying something! In fact, 93 per cent of organisations have reported an increase in outbound email volumes, with one-in-two reporting a rise of over 50 per cent. With far more emails being sent, there's logically going to be an greater surface area for risk. There's also the sense for many employees that they're further away from their IT and Security teams, with fewer opportunities for education, leaving data security to fall by the wayside.

Employees are also facing a myriad of distractions when working from home, from children and pets to delivery drivers ringing the doorbell. They're also experiencing increasing levels of stress, with the line between work and home life more blurred than ever before. It's not surprising, then, that almost one-in-four (37 per cent) email data breaches were caused by employees feeling tired or stressed. When we're not concentrating - whether that's because of a physical distraction in our workspace or because our mind is wandering due to stress - we are much more likely to make mistakes. In fact, 80 per cent of organisations reported data being put at risk for a reason as simple as the wrong recipient being added to an email. A further 80 per cent reported the wrong file being attached as the cause. With rising stress levels among employees as a result of remote working, this is a real concern for organisations.

In the face of this growing issue, what can organisations do to ensure that data remains safe when employees are working remotely? The answer is to put a safety net around them.

A key issue around email data breaches is lack of employee awareness, which is exacerbated by working from home and feeling ‘far away' from their IT team. Organisations have a duty to educate their employees of the risks involved with sending emails to the wrong people, or with the wrong data attached.

However, human error is inevitable (otherwise we'd have mitigated it through training by now!), and this is especially true when working remotely, so organisations must also put technology in place to prevent breaches.

Unfortunately, many organisations don't have adequate solutions in place to truly mitigate today's email risks. In fact, our recent survey revealed an average organisation of 250 employees experienced 180 email data breaches within the last year.

Where technical controls have been implemented, many organisations continue to rely on legacy email DLP solutions, with static rules that can't understand or learn from user behaviour. Typically, these rules will prompt users too frequently as they don't understand when behaviour is abnormal and therefore risky, leading to ‘click fatigue', and employees ultimately end up becoming de-sensitised to the tool, ignoring prompts and sending misdirected emails anyway.

The good news is that in recent years, advances in machine learning have meant that the risk of outbound email data breaches can be mitigated. Machine learning is able to understand the way each individual employee uses email, including their behaviours and relationships. It can learn what's normal / ‘good' security behaviour, and what isn't, for each individual user, recognising any behaviour that's out of the ordinary, and only prompting users to let them know that they're putting data at risk. In essence, this technology can prevent email data breaches before they can happen. As the shift to remote working looks set to continue, at least in the medium term and with a future of great flexibility on the horizon, it's up to organisations to get on the front foot to solve this problem by using the latest technologies.