“Oops I did it again!” – the psychology behind employee data protection errors and how to prevent them
Accidental insider data breaches are one of the biggest risks to data security and one of the hardest to manage. Breaches caused by employee errors can have far-reaching and financially ruinous consequences, and even when employees have the best intentions, tiredness, haste, or lack of awareness means they are often just one mistake away from putting the business at risk.
Email is a primary vector for inadvertent insider data breaches. Everyone has access to email and over 90% of employees will use it to share sensitive information in order to get their jobs done. Email has also never been more relied upon than now. Egress analysts have reported a 23% uptick in email volumes since the start of the COVID-19 pandemic, as organisations continue to support large-scale remote working. This alone increases the likelihood of misdirected emails, without taking into account the added distractions of working at home, such as childcare responsibilities and less-than-ideal technology set-up.
The COVID-19 pandemic has also introduced vulnerabilities from external attacks. Cybercriminals prey on disrupted environments and heightened emotions, so it's unsurprising we've seen significant increases in phishing and spear-phishing attacks designed to dupe workers into giving data or money directly to criminals.
Clearly this causes a major headache for CISOs and their security teams. Our Insider Data Breach Survey 2020 found that 78% of them think employees have put data at risk accidentally in the past 12 months. Misdirected emails and phishing attacks topped the list of accidental insider data breach causes, and almost a quarter of respondents said they had made a mistake because they were tired. And we're seeing this in incidents reported to the Information Commissioner's Office (ICO) as well. Their most recent statistics showed that misdirected emails were the top cause of incidents reported between January and March 2020, accounting for 20% more incidents than phishing attacks.
So, what can CISOs do to understand and manage this risk? The answer lies as much in psychology as in technology.
Identifying accidental insider breach personas
Organisations often invest a lot of time in analysing their employees' personality types, strengths, and weaknesses, so they can build the most effective teams and motivate individuals to achieve. It's a very useful tool, so why not extend it to identify the different types of data breach personas evident in every business, and link them to the particular risks they are vulnerable to? We have worked to categorise and build out the personality traits of employees at risk of causing accidental breaches, so organisations can support them to prevent mistakes.
Our first persona is nicknamed “Keen Katherine”. These are employees, often new to the organisation, who are keen to impress and develop their careers by seizing every opportunity. Energetic and loyal, they want to be helpful and may volunteer for extra duties to show willingness. This makes for a high workload and a busy inbox which they work through at speed, especially when requests come from more senior colleagues and management. Overall security awareness is low due to their inexperience, and it is possible these employees have not yet received full training or, if they have, they have not fully understood their responsibility for protecting data.
In their haste to respond to senior colleagues, Keen Katherines are susceptible to losing sensitive company data by replying to spear phishing emails in haste without checking who they are genuinely from. They are also at risk of adding unauthorised recipients to emails, either to prove their salt to other colleagues, from lack of awareness over what data should be shared with whom, or through an incorrect email address suggested by Outlook autocomplete when trying to send emails as quickly as possible.
Our second accidental insider breach persona has typically been with the business longer. Nicknamed “Tired Tim”, he has a lot on his plate both personally and professionally, and is someone more and more people can resonate with. He makes the most of mobile technology to get things done on the go so he can keep his work performance high, while still staying on top of family and social commitments. Tim is working through an ever-growing to-do list, often late at night or while he's commuting, and is tired, distracted and stressed.
Tired Tim is most likely to cause a breach by sending an email to the wrong recipient, attaching the wrong document, or forgetting to use Bcc. Like 23% of the respondents to our insider breach survey, part of the reason Tim causes breaches may be because he is using a mobile device that has a much smaller screen to spot mistakes on, something that is much more common during COVID-19 homeworking. He might also fall into the trap of “I have to get this email out before my train pulls into the station” or “I can get this sent by 10:00pm”, ending up spending time crafting his message and then rushing to add recipients or files – the “easy step” and where the error creeps in.
Most people will recognise these two personality types and admit that they, at times, correspond to one or the other. In today's busy workplaces both types are put under the specific pressures – high workload, long hours, constant demand for communication and collaboration – that are likely to lead them to make mistakes and cause breaches.
Linking psychology and technology – how contextual machine learning can help
Now we know a bit more about these two personality types, what can we do to help them and prevent accidental email data breaches?
In the case of Keen Katherine, guarding against spear phishing is essential. This is a key application for intelligent email security that automatically analyses email addresses and flags discrepancies, such as the minor alterations used by phishing emails to deceive users. Contextual machine learning can also analyse Katherine's usual email behaviour and detect anomalies, alerting her when she inadvertently adds an unexpected recipient to an email group, or tries to send sensitive content to an unauthorised recipient.
For Tired Tim, any assistance has to leave his workflow uninterrupted. Here the key is a security safety net that works in the background and only intervenes when risk is detected. This might be in the form of a prompt to use Bcc when sending emails to a large group, or detecting attachment content that should not be sent to a certain recipient or even outside the organisation at all. By flagging these risks to Tim when they arise, he can continue working at his usual pace but the risk he poses is reduced.
Critically, in both cases the technology works in the background as a safety net that activates before a breach occurs. It doesn't interrupt users or clash with their personas by being overbearing or cumbersome. Intelligent technology that uses machine learning to support this way of working is part of the emerging category of ‘human layer security' that's revolutionising the way we can protect data on email and prevent breaches of security.
Seizing the opportunity to address insider breach risk
The human factors that put data at risk of accidental insider breach are not going to change, so it's important to deploy technology to mitigate these risks that, crucially, will be adopted by users. Tools built using contextual machine learning that can prevent misdirected emails, protect users against phishing attacks and stop sensitive data inadvertently leaving the business are transformative in reducing the email security risk that has proved so intractable for so long.
As email use rises and more employees work from home over the long term, businesses need to take this opportunity to tackle the risk and make email a safer tool for users and the business.