Why email entails major risks under the GDPR

In 2017 more than 10.000 data leaks occurred. More than half of these leaks was caused by human error. 

The moment data is leaked or hacked, criminals can start using the data. When large-scale leaks occur, data abuse almost never happens immediately for all the data affected. Even if hackers do not do anything with your data, there is always the risk that others will.

As we saw above, personal data can be leaked on a large scale due to external errors. However, a leak could also be caused within your own organisation by one of your own employees.

 

Example:

Thea works at a large regional hospital. Every month, she sends a database to an external supplier so that they can produce a management report. This database contains various types of personal data and other privacy-sensitive information. That includes names and Citizen Service Numbers, but also Diagnosis and Treatment Combination codes and referrals for further treatment. To send this extensive quantity of data, most of which is sensitive, Thea has several options at her disposal. She could send this data in small chunks by ‘normal’ email, send a USB memory stick by post, or use a public file transfer service.

And then things go wrong. Thea decides to send the email through Outlook, as she always does. She types ‘Ro’ and the email program auto-completes the name. She presses ‘send’ and the email is out of her hands. However, the data is not sent to Robert at the external IT service provider, but to Rose from the home care organisation, who Thea often emails.

A huge database of sensitive information is now exposed, causing incalculable damage. Just by selecting the wrong recipient, Thea provided ‘unauthorised’ access. All the people involved must now be notified, and the CISO of the hospital has to report the data leak to the Dutch Data Protection Authority.

 

Commonplace

Such data incidents are commonplace in many organisations, but many stay hidden under the radar. The cause of these incidents is usually twofold. On the one hand, employees are not aware of the consequences of their actions. On the other hand, organisations often do not have proper systems in place to safely send emails and files.

 

Five reasons why email leaks are virtually unavoidable
Email is one of the most common ways to communicate within organisations, and at the same time also one of the most error-prone. How is it possible that security leaks are so often caused by email? Read more about the five most common reasons below.

1. Email is not properly protected by default

Many organisations fail to secure their email by default, which means email is usually sent unencrypted. That means that everyone who receives this email can also read it – including people who get these emails by accident.

Attachments are often also not secure either, even though Excel workbooks, Word documents and PDF files can easily be password-protected. For security reasons, the users should not send the passwords to the receiver by email but in a different way (for instance by text message). In practice, virtually no one does that, probably because it takes more time.

 

2. Email is untraceable

Suppose you want to send an email to your colleague, Ms Jansen. After you have clicked send, you realise that you have accidentally sent that email to another person named Jansen... who works for a different organisation. From that moment on, the problem is out of your control. No one can find out what happens to the information contained in that email. Will the email be deleted without being read, or will it be forwarded?

This is a huge problem in actual practice. Once you can no longer identify everyone who has seen that information, you no longer have any control over it. In many cases, there are no options for cancelling emails that are sent by mistake. Let alone technical options for figuring out where the data went from there.

 

3. Internal emails get less attention

A leak is also easily created within your own organisation. Several employees are discussing a treatment plan for a patient. The entire organisation is added in the CC, and suddenly everyone knows the details of the patient’s medical history.

The risk of sensitive information ending up in the streets is much lower when using internal email. Unfortunately, that restriction is not a criterion in the eyes of the law: an email containing sensitive information should always be sent securely, even if that email stays within the organisation.

 

4. Standard email boxes are easy to hack

It can happen to a government minister or to the Democratic Party in the USA, so why couldn’t it happen to you? An email account is hacked. This often happens because the security measures are insufficient. The email account of our own Minister Kamp was hacked by means of a phishing attempt. Sometimes computer criminals gain access to an email account because it has a weak password or because two-factor authentication has not been used. If someone gains unauthorised access to the inbox, you don’t want them to immediately gain access to all the information contained in your inbox.

Spoofing

Malicious parties use other ways to abuse email. One such example is spoofing. An attacker copies the email address of someone in your organisation and sends emails from that address. Someone working in the financial department receives an invoice that seems like it came from a member of the Board of Directors, and pays it as requested. In reality, this invoice was sent by a criminal – who controls the bank account on the invoice. Taking proper security measures makes it possible to prevent these types of attacks.

 

5. Employees are not aware of the importance of using secure email

The average employee receives dozens of emails every day. Email has become a reflex; we no longer think about what we’re doing when we send and receive email messages. This means that employees communicate the most banal matters (such as announcing that there’s cake by the coffee machine because it’s John’s birthday) in nearly the same way as they divulge client information or deliver a new purchase contract. Employees are not aware that they need to handle sensitive information differently than other email. Virtually all data leaks involving email are the result of that unawareness. In reality, people the weakest link and the cause of nearly all leaks by email.

 

Should email even still be used in your organisation?


Reading this might make you think that we advocate banning the use of all email within organisations. That is most certainly not the case. However, in view of the GDPR, it is key to carefully consider how you can improve data security in internal and external email within your organisation.

 

Technical tips for handling email more securely:

  • Encrypt your emails effectively by default. This will ensure that just you and the person you are communicating with can read the emails.
  • Make sure that only the intended recipients have access to the information.
  • Use software that warns you if an email seems to be sent to the wrong person.
  • Provide an option to cancel a message if something goes wrong.

 

Create awareness regarding privacy and GDPR

Awareness regarding privacy and GDPR is a security layer that includes vital organisational and technical measures. The reason that it is so important is because 46% of all data leaks are caused by employees handling sensitive data carelessly. But how do you resolve that problem? In this e-book, we provide an answer to this question and offer some practical tips.

Go to the e-book

RELATED
shutterstock_219503161 (1)

What is the difference between personal data and privacy-sensitive information?

The GDPR is a hot topic. Due to all messages in the media, many myths circulate about this topic. A frequently-heard comment is: but it is related to privacy, and so it is forbidden under the GDPR anyway, right? To understand correctly what the law requires and what are the reasons for that, you should know what personal data are and how this differs from […]

Read more
vlag3

The 3 most important things you need to account for in order to become GDPR compliant

The General Data Protection Regulation (GDPR) is a European law that protects the privacy of European citizens on the one side and helps to create awareness in processing personal information on the other. Thanks to GDPR, CISO’s like you have a lot of extra work to do. The amount of administrative proceedings that result from the GDPR is huge, your organisation […]

Read more
Untitled design

4 misconceptions about safe email

The European General Data Protection Regulation (GDPR) made the topic of privacy protection an important agenda item for every company. Almost all the time, risk analysis brings up email traffic as a very risky part. In the meantime however, I often encounter organisations that are pretty sure in their statement that the have their email traffic safe and under control. […]

Read more