For those working remotely during the pandemic, changes to how work is done have significantly increased stress levels – and when we’re stressed, we’re more likely to make mistakes that result in sensitive data being inadvertently put at risk.
Our 2020 Outbound Email Security Report revealed that stressed and tired employees are behind 37% of the most serious data leaks – caused by all-too-common culprits, including adding an incorrect recipient to an email, attaching the wrong document, replying to a spear phishing email and forgetting to use Bcc.
Why do stressed employees make mistakes?
Stress changes how we make decisions. When we have to make a choice under pressure, we default to thinking about rewards over risks, and how we can get out this situation and into one that’s “calmer”.
Long-term remote working in 2020 has removed many of us from our normal working environments and transported us to familiar – and yet unfamiliar – settings to deal with these pressures and a whole host of new ones. From “Zoom fatigue” to the demands of childcare, our entirely remote employees are subject to more distractions and pressures than they faced in the office. They’re also handling these pressures away from their normal support structures and the environment they’re used to work in.
Let’s imagine a scenario. An employee needs to share a client file over email. They’re crafting their message and attaching documents, all while aware that they only have a few minutes until their next virtual meeting. They must send this email before that meeting starts. Then, the doorbell rings: a delivery driver is delivering a package and the at-home employee doesn’t want to ignore it and reschedule the delivery.
There’s one minute before the meeting starts: just enough time to add the recipients to this email and hit “Send”, rush to the door to collect the package, and then join the virtual meeting. Unfortunately, Outlook autocomplete suggested the wrong recipient and, in their rush to get to the door and join the meeting in time, the employee doesn’t notice that the client’s data is sent to the wrong recipient.
This example illustrates how decision-making when stressed and the pressures of remote working combine to amplify human error. The employee has a hard deadline: they need to get the email sent and the door answered before they join the virtual meeting. Both of these also offer immediate rewards and alleviate pressure – one item it ticked off the to-do list and a repeated delivery for the package doesn’t have to be organized.
What’s the scale of this problem?
Findings from the report show that 94% of organizations have experienced a data breach through email in the last year. These aren’t one-off occurrences either – an organization of 250 employees reported 180 incidents that put data at risk, equating to one every 12 working hours.
That’s 180 incidents requiring resources for investigation and remediation – and where client data is involved, the incident can jeopardize working and business relationships. No client wants to pay an organization for services if they don’t have assurance their data can be kept secure at all times, including when shared via email.
Findings from the report show that in 33% of severe email data breaches, the organization suffered negative financial impacts, including customer churn. One-quarter (26%) of these incidents led to investigation by regulators and the same percentage led to reputational damage. The impacts aren’t solely restricted to the organization, either. In 46%, the employee involved received a formal warning, in 28% they were sued, and in 27% they were fired.
We give every employee in our organizations access to email and use it to facilitate client relationships, but organizations aren’t also implementing the guiderails and safety nets to prevent basic human errors leading to breaches.
Is there a way to help stressed out employees be more secure?
The bad news first: unfortunately, the static technologies we’ve relied on to date haven’t mitigated this risk because they can’t take into account the context in which a user is sharing certain information and their behavior at that moment in time. They rely on an email meeting a pre-defined and set criteria for a subsequent action to be taken – i.e., blocking an email from being sent or automating encryption – or they require users to make the right security decisions, such as confirming the recipients on every email being sent, which for the majority of users rapidly leads to click fatigue.
Awareness and training, while a necessary part of your security strategy, also can’t significantly reduce human error. In moments of pressure, training goes out of the window as a quick decision is made. Similarly, as time passes, people become over-confident that they haven’t made a mistake yet or simply forget as other news and items become more important to them in that moment.
However, advances in contextual machine learning provide the positive note at the end of this article! While static technologies can’t predict and mitigate human error, machine learning has the intelligence to deeply understand an individual user’s behavior and relationships to validate in real time that email recipients are correct against the content in the message body and attachments. When they’re not, the user is prompted before the email is sent. If they are, no prompt shows and the user doesn’t get tired of interacting with software that isn’t adding value in that moment.
The pandemic has pushed insider risks to the forefront of the security agenda, making it more important than ever before to empower individuals to work productively and securely. We’ve secured our network layer and our application layer – it’s time to secure our human layer.