Expert Reports / GDPR: 45% of employees have shared sensitive data
GDPR: 45% of employees have shared sensitive data
8 May 2018
UK data security pioneer Clearswift has undertaken a global survey which reveals that 45% of employees mistakenly share sensitive emails with unintended recipients, leaking GDPR information such as bank details, attachments and personal data.
The research surveyed 600 senior business decision makers and 1,200 employees across the UK, US, Germany and Australia, finding that employees regularly send and receive emails containing sensitive information in error. Key findings include:
Nearly half of employees (45%) have accidentally shared emails containing bank details, personal information, confidential text or an attachment with unintended recipients.
A mere one in four employees (27%) would delete these emails from their inboxes and clear their deleted items.
Less than half of employees are fully aware of the agreed process in their organisation when such an email is received.
Also of interest: How can businesses stay safe online
GDPR and shared responsibility
“With GDPR, the new tenet of shared responsibility makes the problem of receiving and sharing unauthorised information a serious issue. Email communication is a real pitfall for organisations trying to comply with the regulation”, said Dr Guy Bunker SVP products at Clearswift.
“Stray bank details and ‘hidden’ information in attachments, spreadsheets or reports can create a serious data loss risk. The occasional email going awry may seem innocuous, but when multiplied by the amount of employees within a business, the risk becomes more severe and could lead to a firm falling foul of the new GDPR penalties; up to 4% of global turnover, or even those in place already, such as The Payment Card Industry Data Security Standard. If contravened this can lead to a firm having the ability to process data removed, which could see some businesses grind to a halt.”
The research also found that upon receiving a misplaced email, 31% of employees said that they would read the email, with 12% even admitting they would scroll through to read the entire email chain. 45% of employees did say that they would alert the sender to their mistake, giving them the opportunity to take some action, however a lowly 27% said they would delete the email from their inboxes and deleted items leaving an element of uncertainty.”
Less than half (45%) of employees were familiar with the agreed process or course of action to take upon receiving an email from someone in another company where they were not the intended recipient, and 22% admitted there was no formal process in place whatsoever in their organisation for such situations.
Also of interest: Cyber warfare - who are the players?
Human error in data breaches within politics:
- When a document showing support for the government’s policy around small business turned out to have metadata (document properties) which showed it came from Conservative Party HQ. This created embarrassment rather than anything else, but reputation is so important in this field, it takes years to build and seconds to lose.
- When a local political party sent the details of its regional supporters to a radio station by accident – it’s just so easy to do.
Malicious insiders who create a data breach:
Sage: A malicious employee, with authorized access, took the most personal of data from the trusted company, although fortunately they were caught before anything truly malicious happened. However, the damage to the reputation was already there.
Morrisons: Where a malicious employee posted the payroll data of 100,00 staff. This lead to huge fines against the company, but also a ruling in 2017, which meant that the staff would also get a payout from the company. Data loss incidents and the impact they have don’t go away quickly!
Also of interest: Video interview with ethical hacker, FC
Advice for companies
Bunker added, “To offset the inevitable risk associated with email communications, companies need a clear strategy, which encompasses people, processes and technology.”
“Instilling the values of being a ‘good data citizen’ can engender a sense of data consciousness in the workplace, ensuring that employees are aware of responsible disclosure, and with whom this responsibility sits upon receiving an email in error. However, a formally agreed process or course of action is also a must. There is not a silver bullet and technology can once again offer assurances to help mitigate risks.
Adaptive Data Loss Prevention (DLP) technologies can automate the detection and protection of critical information contained in emails and attachments, removing only the information which breaks policy and leaving the rest to continue on to its destination.”
Also of interest: Top tips on human training
No-one is cyber immune
Bunker explained,"The thing to take away from these findings is that no-one is immune – no sector, no size of an industry. We have seen data breaches happen from as high up as The Pentagon, where a spear-phishing campaign resulted in over 4000 individuals’ information being compromised, down to The Dean Street Clinic which accidently sent out its newsletter with all the recipients on the ‘To’ line, rather than ‘BCC’, meaning that everyone could see who else had the newsletter. This was particularly compromising as the recipients were subscribers to a service for those with HIV.
“Organisations need to recognise that ‘error’ is a significant issue with their security and need to put policies and technology in place to mitigate it. After all, when it comes to the law, the result of an error or a malicious attack is the same, critical information has fallen into unauthorised hands.
“People are both the strongest and the weakest link in an organisation’s security. They can help identify potential areas of weakness, but the slip of the finger and a breach can be created.”
This research was conducted by technology research firm, Vanson Bourne, on behalf of Clearswift. Over 600 business decision makers and 1,200 employees from the UK, US, Germany and Australia were polled to map the attitudes of businesses and employees relating to cyber security. For more information about Clearswift, go to https://www.clearswift.com/