Human error is a leading cause of cybersecurity breaches. Sending data to the wrong person, selecting the wrong attachment or falling for a business email compromise or phishing attempt can cause major data breaches and potentially incur large fines for your organization.
A recent ICO report showed that misdirected emails accounted for 20% more reported incidents than phishing attacks. Similarly, according to a 2020 Data Breach threat survey, 97% of IT leaders say insider breach risk is a concern for their organization. However, traditional email security technologies are not designed to protect against human error, leaving many organizations unprotected from these widespread risks.
Egress is an email security and encryption provider taking an innovative approach to solve the problem of misdirected emails. Egress uses contextual machine learning technologies to reduce the risk of both accidental and malicious data breaches caused by people within the organization. We sat down with Egress CEO and co-founder Tony Pepper to talk about the importance of Human Layer Security, the impact of COVID-19 on email risks, and what Human Layer Security means for the future of email security technologies.
From Encryption to Human Layer Security
Egress was founded in 2007, in a very different security world. At the time, encryption technologies were clunky and difficult to use. Pepper and fellow co-founder Neil Larkins saw an opportunity to disrupt this market in two key areas: by making the process of encrypting emails easy, and by giving customers more control over emails after they had been sent.
For the first six years, Egress focused exclusively on their message encryption and secure file transfer capabilities, selling predominately to governments and public agencies. However, over time, new use cases emerged which they were not immediately able to solve. Pepper tells me that about three years ago customers began asking about the possibility of technologies that could stop employees sending important information to the wrong people, proactively.
“All of our developers were sort of scratching their heads and they realized it wasn’t a problem we could solve at the time,” Pepper says. “So, we went back, and we effectively rebuilt the core architecture of the platform. But this time, based on a machine learning backend, which used graph database technology to analyze and model behavior, to understand what normal and abnormal looks like.”
With this new technology in place, Egress is now able to make intelligent decisions about whether or not users are making mistakes when sending emails, based on their past email behavior, and stop them before they are sent. They are also able to make smarter decisions about the types of encryption that should be applied to emails, by looking at individual senders, and the security of email domains. This is known as ‘Human Layer Security’, as it protects users at an individual level from making mistakes when using email.
“That’s where we are today,” Pepper says. “We have extended out from being really focused on email encryption, to now focused on a much wider email security offering that looks at anomaly detection and applies security that’s appropriate to the content, the sensitivity of the content, and the destination of where it’s going.”
“A new opportunity to disrupt the security market”
Human error falls into a number of different categories. It can involve people making a mistake, and sending an email to the wrong person. It can also involve users clicking on phishing links, believing them to be from trusted contacts. Another error can be users not encrypting sensitive data that should have been encrypted.
Pepper says that, just like ten years ago, Egress has a new opportunity to disrupt the email security market with this new Human Layer email security platform. Despite the email security market being much more crowded today, there are few vendors focusing on the human error problem.
“When we look at the market, there really is a collection of quite outdated legacy approaches to tackling human error,” Pepper says. “These solutions are typically at the network boundary, not wrapped around the user. They’re often using legacy DLP technology, which uses static regular based expressions to solve the problem. These approaches are not sophisticated enough to blend both the content and recipient destination to understand risk and error.”
Pepper sees Human Layer Security as a new category of security which has the ability to understand email content, understand where it is being sent, and understand anomalies, in order to proactively apply the best security to the message.
‘The biggest security risk to every business is our people’
Pepper argues that email risks remain one of the major security threats to organizations.
“The biggest security risk to every business is our people,” he says. “Email as a channel is one of the few remaining places where an external threat actor can attack, right into an organization, wherever they desire.”
However, Pepper argues that too much emphasis is put on malicious cybercrime and targeted email attacks. “The overwhelming threat is employees of the business that are well-intentioned, that want to do the right thing, but just make mistakes,” he says.
This threat has been recently exacerbated by the rapid move to remote working that many businesses have made as a result of the COVID-19 pandemic. “We’re seeing a big shift towards digital ways to communicate,” Pepper says. This means more businesses sharing health record and financial records, which need to be encrypted, and protected against being sent to the wrong people.
New data regulations have also caused organizations to start making the risk of data breaches from misdirected emails much more seriously. “Globally, there is more consolidation on privacy now. Fines are now truly meaningful. But for me what was really interesting about GDPR was the importance of the Chief Privacy Officer being on the top table,” Pepper says.
“So now, privacy officers have to report directly into the leadership team, and that puts the focus on having to take privacy seriously. It used to be an IT issue, and now it’s a business issue, and that’s a big shift.”
‘A tip of the iceberg issue’
Despite the rise in the misdirected email problem, it still can be difficult for organizations to quantify how at risk they are from data breaches caused by human error. Unlike being hit by spam, organizations can’t easily see where data has been accidentally sent to the wrong person.
“Independent research carried out by organizations like Opinion Matters shows that the misdirected email is the top issue for CISOs,” Pepper says. “So, they know that it’s happening in their business. But unless you’re using technology like ours, you can’t understand exactly how often this is happening.”
This lack of visibility, Pepper explains, means that unless users self-report when they have accidentally sent an email to the wrong person, which they are unlikely to do, businesses often don’t realize the full scale of the problem.
“When we engage with customers, we’ve stopped asking the question of ‘How many incidents have you got on your risk log?’ Because what we know is that this represents a very, very small percentage of the actual incidents that happen in the business,” Pepper says.
“We had one Fortune 500 healthcare client for example, that had 50 reported incidents in the last 12 months, of which 5 were so serious they needed investigation from data regulators. When we actually did our analysis, which actually detects and logs an incident that is about to happen, we picked up 500 incidents in the first 12 months,” he continues.
“There is a massive, massive disconnect between how often this happens verses the number of incidents on the risk log. It’s a tip of the iceberg issue, and no one really knows how serious it is.”
An old problem, with a new solution
The challenges around misdirected emails are not new. It’s a problem that organizations have in the past tried to solve in unsophisticated ways, Pepper says. This can include using Data Loss Prevention (DLP) policies, putting pop-ups on emails asking users to check before sending, and turning off auto-complete contacts in Office 365 to minimize the risk of selecting the wrong person.
However, Pepper argues that these are very ineffective compared to Human Layer Security. “DLP will prevent content leaving the business that shouldn’t,” he says. “But it won’t stop content that can leave the business from going to the wrong person.”
Pepper also argues that putting a pop up on every single email is only likely to be effective once, before users get click fatigue, and ignore the warnings. Turning off autocomplete can help to reduce the problem, but of course makes life very frustrating for users who need to quickly send emails to contacts, without going through their address book each time.
“Because of this innovation in technology, we are now able to tackle the problem of misdirected emails in a completely new way,” Pepper says.
Thinking of implementing Human Layer Security?
Pepper’s advice for organizations struggling with misdirected emails who may be considering the solution, is that the problem can be complex, but the solution doesn’t have to be.
“The solution is something that is very easily deployed,” Pepper says, “It’s very easily solved. But it has to be solved with the latest in technology that addresses the problems.”
“So, I think for me, our advice would be, reach out, let us show you how our technology can not just address 50% of these problems, but how we can eliminate these problems in the business, and demonstrate return on investment by showing administrators and compliance officers all the incidents that have been avoided because of this technology.”
“As it’s all cloud based, and because our business has been working in highly regulated industries for so many years, we take security incredibly seriously, so all of our products are independently certified, fast to deploy and can help you to eliminate this risk.”
You can find out more about Egress Intelligent Email Security here: https://www.egress.com/