Among the consequences of the big shift to home working due to the Covid-19 pandemic has been a surge in the use of email, and along with that a heightening of associated threat to cyber security, writes Jamie Davies, public sector manager, Egress Software Technologies.
A combination of forces is at work. As people have been removed from their offices their familiarity with email makes it the easiest way to stay in touch and share information. They are also very busy, with many in the public sector under severe pressure to keep things running during lockdown, making them susceptible to mistakes. Cyber criminals see this as an opportunity, and there is plenty of anecdotal evidence that email has been their favoured means of attack over recent months.
It has created a situation in which organisations have to look closely at how the scope for human error in handling email affects their security posture, and be ready to take action to correct any weaknesses.
This provided the focus of a recent UKA Live discussion between myself, Paul Withers, the data protection manager of Walsall Metropolitan Borough Council, Carol Williams, its interim director of transformation and digital, Geoff Connell, director of IMT and chief digital officer of Norfolk County Council, Simon Clifford, director of digital and data, Police ICT Company, and UKA publisher Helen Olsen Bedford.
Increase in incidents
All agreed that, despite the increased take-up of collaboration tools such as Microsoft Teams, there has been a surge in the volume of email as many people have continued to use it by default. Our own research has shown that 93% of organisations are now sending and receiving more email than before Covid-19 struck, and 94% acknowledged security incidents with outbound emails.
These were reinforced by an audience poll during the discussion showing that 76% of respondents had suffered a data breach this year, and of those 74% said it was related to email. Another 52% acknowledged having mistakenly sent an email with sensitive material at some point.
The increase in volume, combined with the sense of urgency in the shift to remote working and the need to share information with different agencies, has undermined the sense of caution needed in dealing in emails from unknown sources. The Egress research showed 37% of incidents attributed to employee stress and fatigue.
Along with this has been the increase in multi-agency working and sharing of information. People are not familiar with the structure of other organisations’ email addresses, their protocols or how they send files, and with the volume of incoming messages they are become vulnerable to giving up information, downloading dangerous files or clicking on malicious links. Further problems arise when contact lists for specific purposes are not kept up to date, meaning that some who should no longer receive sensitive emails do so while others are left out.
Cyber criminals have seen the opportunity to exploit the weaknesses, and public sector digital chiefs have reported a surge in phishing attacks, using email to obtain sensitive information or data. The criminals are proving to be sophisticated and patient in gaining access to the information: we have had reports of phishers spending up to two weeks posing as a supplier in conversations with a public sector employee to obtain information.
Steps to strengthen defences
But the discussion also identified measures that could strengthen the defences. One is to ensure that when email is sent around a contact group somebody has responsibility for ensuring the list is accurate and up-to-date, including every person with a legitimate need for the information.
Another is to turn off the ‘auto-complete’ function on email addressing, so it does not anticipate and send to an incorrect address, however this can cause high levels of user friction. Misdirected emails can be prevented by a final check before sending but it is one of those things that can be neglected when fatigue sets in.
It is also possible to protect content with a one-time password, which is not supplied to the recipient until they confirm they have received the email, or some form of two-factor authentication. Financial services are making increasing use of this approach but the public sector has so far been slow to follow.
Sophisticated tools using contextual machine learning, encryption and analytics are also available in the Egress Intelligent eMail Security suite. These can provide safeguards such as ensuring content is suitable for all the people on a ‘send’ list, making it impossible to read an email sent in error, and to quantify the risk of a breach in email flows.
As with any element of cyber security, it is important to train staff in good practice in using emails. An information governance team can take the lead on mandatory training, publishing information on procedures and known threats on the intranet, and ensuring a robust process is in place to handle any breach.
Phishing tests
Testing can also be important: a phishing exercise can identify any individuals or teams who fail to spot the dangers. It is important that this is done within an educational process, identifying why the threat was not seen and sharing the lessons, rather than to catch people out. This is part of building a strong security culture in which people are aware of the threats and think intelligently about incoming mail.
Similarly, an organisation should encourage people to report any possible incidents without fear of being blamed. Describing how and why an email breach occurred helps in the efforts to mitigate it and can contribute to good practice in preventing it from happening again.
This is also important in explaining what happened to the Information Commissioner’s Office (ICO) and the data subject. Being transparent, with evidence that you have followed the right procedure to quickly identify and rectify the weak point can safeguard against further action from the ICO.
It all amounts to a two-pronged approach of using the technology tools available and building a culture of best practice in the organisation.
While the use of collaboration tools is providing other options for communicating and sharing information, the experience of recent months suggests email is going to remain the default for many people for the foreseeable future. This makes it crucial that organisations give it as much attention as they do to all other elements of their cyber security operations, bringing their information governance and ICT teams together to ensure they have a robust combination of technology and culture in place.
Download the free asset discussed:
Learn more about Egress and intelligent email security:
Image from iStock, COMiCZ