Tony Pepper

Egress, the provider of human layer data security solutions, released their 2020 Outbound Email Data Breach Report, which highlights the true scale of data security risks related to email use. 93% of IT leaders surveyed said that their organisation had suffered data breaches through outbound email in the last 12 months. On average, the survey found, an email data breach happens approximately every 12 working hours. Rising outbound email volumes due to COVID-19-related remote working and the digitisation of manual processes are also contributing to escalating risk. 94% of respondents reported an increase in email traffic since the onset of COVID-19 and 70% believe that working remotely increases the risk of sensitive data being put at risk from outbound email data breaches. The study, independently conducted by Arlington Research on behalf of Egress, interviewed 538 senior managers responsible for IT security in the UK and US across vertical sectors including financial services, healthcare, banking and legal. Insights from the report Key insights from respondents include: 93% had experienced data breaches via outbound email in the past 12 months Organisations reported at least an average of 180 incidents per year when sensitive data was put at risk, equating to approximately one every 12 working hours The most common breach types were replying to spear-phishing emails (80%); emails sent to the wrong recipients (80%); incorrect file attachments (80%) 62% rely on people-led reporting to identify outbound email data breaches 94% of surveyed organisations have seen outbound email volume increase during COVID-19. 68% say they have seen increases of between 26 and 75% 70% believe that remote working raises the risk of sensitive data being put at risk from outbound email data breaches Root cause of breach incidents In terms of the impact of the most serious breach incident, on an individual-level, employees received a formal warning When asked to identify the root cause of their organisation’s most serious breach incident in the past year, the most common factor was “an employee being tired or stressed”. The second most cited factor was “remote working”. In terms of the impact of the most serious breach incident, on an individual-level, employees received a formal warning in 46% of incidents, were fired in 27% and legal action was brought against them in 28%. At an organisational-level, 33% said it had caused financial damage and more than one-quarter said it had led to an investigation by a regulatory body. Traditional email security tools In one-third of the most serious breaches suffered, employees had not made use of the technology provided The research also found that 16% of those surveyed had no technology in place to protect data shared by outbound email. Where technology was deployed, its adoption was patchy: 38% have Data Loss Prevention (DLP) tools in place, while 44% have message level encryption and 45% have password protection for sensitive documents. However, the study also found that, in one-third of the most serious breaches suffered, employees had not made use of the technology provided to prevent the breach. Outbound email security risks mitigation Organisations need technologies, like machine learning, to create a contextual understanding of individual users" Egress CEO Tony Pepper comments: “Unfortunately, legacy email security tools and the native controls within email environments, such as Outlook for Microsoft 365, are unable to mitigate the outbound email security risks that modern organisations face today. They rely on static rules or user-led decisions and are unable to learn from individual employees’ behaviour patterns. This means they can’t detect any abnormal changes that put data at risk – such as Outlook autocomplete suggesting the wrong recipient and a tired employee adding them to an email.”  “This problem is only going to get worse with increased remote working and higher email volumes creating prime conditions for outbound email data breaches of a type that traditional DLP tools simply cannot handle. Instead, organisations need intelligent technologies, like machine learning, to create a contextual understanding of individual users that spots errors such as wrong recipients, incorrect file attachments or responses to phishing emails, and alerts the user before they make a mistake.” Reporting of outbound email data breach When an outbound email data breach happens, IT leaders were most likely to find out about it from employees Organisations still cannot paint a full picture of the risks, relying on people-led reporting to identify email breaches, despite severe repercussions When an outbound email data breach happens, IT leaders were most likely to find out about it from employees. 20% said they would be alerted by the email recipient, 18% felt another employee would report it, while 24% said the employee who sent the email would disclose their error. However, given the penalties that respondents said were in place for employees who cause a breach, it is not guaranteed that they will be keen to own up, especially if the incident is serious. 46% said that the employee who caused a breach was given a formal warning, while legal action was taken in 28% of cases. In 27% of serious breach cases, respondents said the employee responsible was fired. Safeguard both employees and data Tony Pepper comments: “Relying on tired, stressed employees to notice a mistake and then report themselves or a colleague when a breach happens is unrealistic, especially given the repercussions they will face. With all the factors at play in people-led data breach reporting, we often find organisations are experiencing 10 times the number of incidents than their aware of." "It’s imperative that we build a culture where workers are supported and protected against outbound email breach risk with technology that adapts to the pressures they face and stops them from making simple mistakes in the first place. As workers get used to more regular remote working and reliance on email continues to grow, organisations need to step up to safeguard both employees and data from rising breach risk.”

Egress, the provider of human layer email security, has announced that its Egress Protect solution will be integrated into NHSmail to offer enhanced protection and improve user experience. NHSmail is used by up to 1.5m healthcare staff daily, and is the largest closed secure email network in the UK. The announcement comes as part of NHS Digital’s commitment to use innovative technology to transform the UK healthcare landscape. Effective communication is an integral part of the NHS, and Egress’ email encryption technology has a significant footprint in UK Government. NHSmail secure email service NHSmail is a secure email service, approved by the Department of Health and Social Care, for sharing sensitive information. NHSmail has a function for sending sensitive emails which are encrypted, to non-secure email addresses. Egress Protect improves healthcare practitioners’ experience by enabling them to use NHSmail to send encrypted emails to unsecure domains, including patients and other areas of the health and care system, as well as offering automatic decryption for inbound email. This allows those recipients of NHSmail emails that are encrypted using Egress Protect to read and reply free of charge via an easy-to-use online portal or using Egress’ free app for Outlook integration. Streamlining communications NHSmail is already a safe, secure email system, used by almost 1.5 million health and care professionals" Consequently, secure email communication is available free of charge and in a simple and accessible way, to everyone who needs it. Egress Protect is already used by many local government organisations, and major private healthcare providers in the UK and will streamline communications between these organisations and the NHS. Following an initial pilot phase, Egress is now the new provider for sending sensitive emails from NHSmail accounts encrypted to external email accounts. Chris Parsons at NHS Digital said, “NHSmail is already a safe, secure email system, used by almost 1.5 million health and care professionals, enabling them to send sensitive information and deliver effective care. The partnership with Egress will continue to build on this, delivering an effective user experience, supporting security and compliance with GDPR with detailed auditing and reporting.” Innovative email security solutions  “We are delighted to be working with NHS Digital to improve the NHSmail experience for healthcare practitioners and patients throughout the UK,” commented Egress CEO Tony Pepper. “Modern and efficient healthcare requires an accessible and secure communication network built on the best data security and IT architecture available.” “At Egress, we deliver innovative email security solutions that makes it easy for users to protect data, and meet compliance requirements, and then quite simply, get on with their day-to-day work. We look forward to an ongoing relationship with NHS Digital, supporting them in the delivery of this critical communication network.”

A survey of UK GDPR decision-makers conducted on behalf of Egress, the provider of people-centric data security solutions, reveals that 52% of businesses are not fully compliant with the regulation, more than a year after its implementation. The survey also found that 37% of respondents had reported an incident to the ICO in the past 12 months, with 17% having done so more than once. Interestingly, the results showed that over half (53%) of mid-size companies had reported data breaches to the ICO in the past 12 months, compared with 36% of small companies and only 23% of enterprise organisations. Handling of sensitive data These figures indicate an evident gap in compliance performance among mid-size companies Similarly, a notably lower percentage (39.5%) of mid-sized companies reported full GDPR compliance compared with 56% of large and 51% of small companies. Taken together, these figures indicate an evident gap in compliance performance among mid-size companies. Other key survey findings include: Only half of decision-makers (48%) reported that their business was fully compliant 42% rated their organisation as ‘mostly compliant’ Over one-third (35%) said GDPR has become less of a priority for their organisation in the last 12 months Implementing new processes around the handling of sensitive data has been the greatest area for compliance investment in the last 12 months, cited by 28% of those surveyed Compliance investment priorities were then split across better auditing of what data is collected and why (18%), employment of a Data Protection Officer or other compliance personnel (18%), and new technology (17%). 7% said user education and training had been their biggest area of investment. Making GDPR a top priority We now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR" A significant proportion (35%) of GDPR decision-makers said that the majority of compliance activity had taken place in the lead up to the May 2018 deadline and had since dropped down the priority list and remained less important. Only 6% said that the ICO’s recent high-profile announcements of its intention to fine British Airways and Marriott had subsequently shocked the business back towards greater awareness. While 70% of decision-makers surveyed said that their organisation felt very positively about GDPR, less than two thirds (62%) said their business had made GDPR a top priority over the past year. Tony Pepper, CEO, Egress comments: “Since the rush to meet last May’s deadline, we now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR, with a significant percentage of decision-makers indicating that focus has waned in the past 12 months.” Taking necessary steps towards protecting data “The wait of more than a year between implementation and the first action taken by the ICO under GDPR seemed to lead to a perception outside the security industry that the regulation was ‘all bark and no bite’. Although the authority’s announcement that it intends to fine British Airways and Marriott such staggering sums sent shockwaves through the security community, it is concerning only 6% of organisations have taken action to avoid the full potential of the legislation. These announcements should definitely have acted as a clearer warning that organisations cannot risk compliance complacency.” “This is important for businesses in the small and mid-market segments, where our survey found lower compliance levels being reported. Although the ICO’s action to date has focused on two well-known enterprise organisations, GDPR demands compliance from businesses of all sizes and they need to take all necessary steps towards protecting data.” End-user education and training When asked about their single greatest area of compliance investments, decision-makers chose: Implementing new processes around the handling of sensitive data (28%) Better auditing around what data we collect and for what reasons (18%) Employment of a Data Protection Officer or other additional compliance staff (18%) New technology (17%) Implementing new procedures around incident reporting (8%) End-user education and training (7%) Security-related personal data breach incidents Over one-third of respondents (37%) have reported at least one incident to the ICO in the last 12 months Yet despite these investments, over one-third of respondents (37%) have reported at least one incident to the ICO in the last 12 months. According to analysis of ICO data, 60% of security-related personal data breach incidents in the first six months of 2019 were caused by human error. Pepper adds: “The majority of respondents (96%) acknowledged their organisation has made investments in GDPR compliance in the last 12 months, with implementing new processes the most common top priority. Yet despite this, we continue to see data breach incidents being reported and we know from the ICO that the primary cause is human error – so clearly strategies need to shift if we are going to turn the tide against data breaches.” Latest advances in security and DLP technology “Reliance on people to follow processes and protect data is only going to get organisations so far: people are always going to make mistakes or behave unexpectedly, and more must be done to provide a safety net that protects sensitive information.” GDPR is here to stay, and we’re only going to see more companies penalised for data breaches" “It’s positive to see that almost one-fifth (17%) of respondents are looking to technology as a way to mitigate breaches, but they must ensure these solutions tackle human error as the root causes of many of these incidents.” “They must look to the latest advances in security and DLP technology that can map a user’s behaviour to prevent the array of mistakes that put data at risk – from falling for phishing attacks that can lead to malware or stolen credentials, to misdirecting emails or attaching the wrong documents. GDPR is here to stay, and we’re only going to see more companies penalised for data breaches unless we’re able to overcome these issues.”