There is an email risk that nothing to do
with phishing. Rather, the threat is in outgoing emails, according to Abnormal AI.
Of the security leaders polled, 98% feel misdirected email is a bigger danger than
malware and credential theft.
In addition, 96% say their organization experienced data loss due to misdirected email within the past year, while 95% suffered a measurable business impact
— i.e., a remediation expense or compliance violation.
Moreover, 41% of companies often learn about these incidents when they are reported by the recipient.
What is misdirected email? It occurs when "a message is sent to an unintended recipient,” the study states. “The misdirection could be caused by human error, a technical mishap, or
another accident.”
advertisement
advertisement
But this is not like spam cases where any harm is felt by the recipient.
“Misdirected email is often thought of as a minor mistake, but these
messages may contain sensitive information such as customer or financial data, intellectual property, or confidential business discussions,” the study points out.
To that point,
firms that sent misdirected email in the past year suffered these consequences:
Expenditures of time, labor and/or money on remediation — 53.6%
Loss or exposure of
confidential data — 49.3%
Damage to relationships with customers — 40.1%
Business disruption/lost revenue — 36.7%
Damage to relationships with partners and/or
vendors — 39.4%
Reputation harm — 38.5%
Legal issues — 19..9%
Fines or other penalties for noncompliance — 19.5%
None — 53%
This phenomenon is especially dangerous for sales/marketing teams in B2B companies. This reporter once worked at an organization where a a staffer mistakenly sent a sensitive internal email with
sales figures to the entire client list. (He wasn’t fired for it).
How big is the threat? Compared to other causes of data loss such as malware, insider threats and data exfiltration,
the risk from misdirected email is viewed as:
Extremely significant — 23.2%
Very significant — 44%
Moderately significant — 24.2%
Slightly
significant — 6.6%
Not significant — 2.0%
What can companies do in order to avoid these issues? They can avoid:
- Typographical errors
- Autocomplete
mistakes
- Similar-looking addresses
- Workplace fatigue and time pressure
It's also important to avoid using systems with outdated or overly broad distribution and/or
ineffective autofill logic.
Finally, misdirected email may be avoided with these capabilities, the respondents say:
- Automated blocking of emails containing sensitive data
sent to unintended recipients — 68.5%
- Behavioral AI to identify anomalous data sharing or communication patterns — 57.3%
- Automation encryption
of sensitive data — 51.7%
- Read-time, contextual reminders so that users can review and correct potential mistakes — 51%
- Easy configuration and
maintenance — 39.4%
- Incident dashboard and remediation tools — 38.1%
- Centralized dashboard for incident monitoring reporting and
analytics — 36.8%
- Granular policy controls for different user groups and/or data types — 25.5%
- Seamless integration with other security tools
and workflows (e.g., SIEM, SCAR) — 20.2%
- Rapid deployment — 12.6%
Abnormal AI surveyed more than 300 security and IT professionals.