Preventing data leaks | How to email securely

Hyper digitalization and hybrid working sees employees handling more data than ever. The compliance and digital security landscape continues to evolve and the average cost of a data breach continues to rise.

It is no secret that the majority of data incidents reported today result from non-cyber related errors - more than 70% in 2023 according to the ICO. This includes failure to revoke sensitive data, sending emails to the wrong recipient, using Cc in place of Bcc - the list goes on. 

While the likes of Gmail and M365 are fantastic productivity platforms for widespread teams, due to their decentralized nature, they fall short on vital security requirements, leaving your organization open to data leaks, resulting in reputational damage and considerable fines.

In this article, we'll investigate the security flaws hidden in plain sight in email and how to tackle them.

Driven to distraction: How much is too much communication?

While cloud-based productivity platforms such as M365 and Google Workspace enable all-important flexibility, they lack the smart functionality required to secure sensitive data in transit and thereafter. 

In addition, these platforms are increasing. Reflect on your own working day and it is likely that you are communicating via a range of applications - as many as three or four may be open in your browser or on your desktop at any one time.

In fact, in a recent survey of more than 6,000 employees globally, we found that more than half (55%) have seen the number of communications tools and channels increase in the last two years.

So, what’s the result?

Sure, we’re able to communicate at any time, and from anywhere, with our colleagues, clients, suppliers, patients, residents etc. But this flexibility is having a very real negative impact on people:

• 39% feel distracted from their day to day jobs due to increased training
• 34% refer to frequent interruptions preventing them from getting the job done
• 29% feel more stressed in wake of increased notifications and alerts
• 25% state they struggle to ‘switch off’ because they feel the need to be always contactable

Solution fatigue is preventing employees from focussing on their core role. And, unfortunately, distractions inevitably increase the likelihood of security leaks. 

It’s time to question, is it up to your workforce to understand the complexities of data protection and digital security? Are your communications platforms truly secure? Does mandatory security training really fix the issue? Or, should we expect more? 

In the simplest terms, should technology be working harder for us? 

It’s time for change

Progressive business leaders are seeking out technologies to empower their people to work efficiently and securely. By enhancing their most relied upon communications platforms with solutions designed to make sharing sensitive information nothing short of effortless, organisations are leveraging the power of contextual machine learning, zero access encryption, and seamless integration with existing email clients. 

It’s about instilling security beyond company culture to make it a lifestyle and an instinctive mindset for everyone, everyday. 

The state of digital communications security today

Remote working, digital fatigue, evolving regulatory pressures; these are security challenges confronting businesses across all industries today, and a traditional approach to digital security is no longer fit for purpose. Afterall, security breaches are on the rise, and so is the average cost of a GDPR fine.

As such, one thing is clear - you cannot train an employee to avoid making mistakes. But there are ways to navigate this fact.

Rather than expecting employees to change their behavior, progressive IT leaders are realizing the benefits of innovative technology built to embed into existing workflows. In this way, employees are armed with the tools they need to act securely, effortlessly, without adapting their workflows and processes.

And if there’s one workflow we’re all familiar with today, it’s email. Instant messaging and file transfer platforms come and go but email is king. 

In fact, nearly 90% of employees and IT leaders rely on email to get the job done, with over 80% considering email to be the most secure way to send sensitive information.

Building on existing communications infrastructure 

Since its invention several decades ago, email technology has stagnated. After all, it was never built to be secure. 

Email isn’t ‘owned’; it is a completely independent distributed system which operates seamlessly via multiple providers. However, the standards email relies on to ensure interoperability aren’t keeping up with digital transformation or today’s changing threat landscape.

Email technology is underpinned by inherent trust. The vulnerabilities exposed by inherent trust don’t catch the attention of the media like with other digital security incidents. The objective of email is to get a message from point a (the sender) to point b (the recipient) as quickly as possible - making security a second priority.

Although email has seen the addition of (often conflicting) functionalities to improve security, such as anti-SPAM, the fact is, the aging standards underlying email haven’t adapted in nearly 20 years. 

Adoption of new email standards is varied. Things like SPF and DMARC are relatively widespread, but the likes of DANE, DNSSEC and MTA-STS have far lower adoption.

Email is decentralized, meaning that the adoption of universal security protocols is difficult. 

Take, for example, transport layer security (TLS) encryption. TLS encrypts messages sent between two compatible email servers - unless the recipient’s server is not compatible, in which case the email is sent unencrypted, meaning it is at risk of being intercepted in transit. To make matters worse, the sender is unaware that their email has been sent unencrypted. With no way of knowing their data is even at risk, identifying a potential data breach and taking corrective action takes much longer and costs significantly more.

Another security drawback of TLS is that it protects an email in transit, but not at rest. In other words, once an email is received and sitting in the recipient's inbox, the email contents are no longer encrypted and can be accessed by anyone who has access to that inbox. A lack of multi-factor authentication and expiration control functionality means employees cannot take control of their sensitive communications after pressing ‘send’. 

We also see many vendors retaining access to decryption keys - meaning your data isn’t necessarily as protected as you believe it to be (this is a question for your security suppliers - today, only asking about encryption isn’t enough). 

In simple terms, while email providers such as Gmail and M365 are fantastic productivity platforms for enabling remote working teams to communicate freely, they do not meet the compliance and security requirements of organizations today.

Why email isn’t as user-friendly as you think

You’d be right to assume that email remains the lynch pin of office communications due to its user-experience. It’s universal and reliable, regardless of your stakeholder.

However, from a business perspective, email presents a number of security hurdles. 

We’ve all felt the stomach-drop moment of sending an email to the wrong person. Yet today, most solutions lack an adequate email recall function. For example, in Gmail, emails must be recalled in under 30 seconds after sending to be effective.  

As already mentioned, once sent, employees are unable to control access to or track email performance. Users cannot set expiration periods on emails or their attachments; they cannot manage access to emails once sent with standard multi-factor authentication controls. 

These are simple pieces of functionality that are absolutely integral for businesses today yet they are lacking from email clients.

“Relying only on employee awareness training is clearly not enough. Because we're seeing the problem getting worse, not better. (...) We live in an era of smart cars, smart houses, smart power that is helping people to overcome a problem with technology that's not obtrusive. On the contrary, it’s modern and usable.” Barry Moult, Director at BJM IG Privacy Ltd

We also see employees switching between multiple platforms to complete different tasks. For example, Outlook limits attachment sizes to just 20 megabytes. For sharing a video, large files, or high resolution images, employees are forced to use third party file transfer sites. This is problematic for a few reasons: 

• Third party platforms are not integrated with existing platforms and workflows, forcing employees and their recipients outside of their familiar email environment. 
• They are restrictive; often, free versions of file sharing platforms limit file sizes to 2GB. 
• Some do not deliver on compliance requirements (WeTransfer is not HIPPA compliant, for example). 
• Finally, while third party platforms may provide some security measures to protect files in transit, they do not prevent the leading cause of data leaks today - human error - meaning a major data incident is only ever one click away.

This is just one example of a common task which, in today’s digital age, should be nothing short of effortless. 

“Sending large file sizes is a fundamental part of healthcare email traffic. Whilst some clinical systems and solutions tackle common files, for example sharing of CT scans between hospitals, there is demand for a secure way of transferring large files. We are using large file transfers to receive patient videos for remote consultations or updates as an example, which is essential to encrypt end to end.”  Sarah Judge, Digital operational lead and CCIO at West Suffolk NHS Foundation Trust

Put simply, traditional email clients and productivity platforms cause friction: disruptive alerts or delayed notifications, lacking functionality… Instead of adopting security best-practice, employees are learning how to avoid clunky processes in order to work efficiently and to meet the needs of their stakeholders - effectively increasing the chances of a data incident.

Compliance made complicated

Every industry has their own data protection standards to adhere to in addition to the GDPR. 

When sharing sensitive data online, organizations are often required to have access to data logging and proof of delivery, which many traditional email clients fail to provide. 

Data regarding how emails are sent, encryption levels, delivery and open rates should all be available for export. The ability to analyze this data on a granular level, down to a user and team basis, ensures data protection and IT leaders can protect their organizations when it comes to third party audits and compliance reporting, as well as identifying potential gaps in data loss prevention strategies. 

We operate on data today, it is the lifeblood of every business. Employees must be empowered to manage it securely, and business leaders must have access to it in order to navigate complex compliance legislation.

Instead, we see security leaders accepting the technical limitations of email clients and the impact these have on workflows. It is time to expect more from our solutions to ensure digital security and power productivity.

Why security training alone isn’t the answer to progressive digital security

Traditionally, malicious and inbound attacks dominate the conversation around cybersecurity, with little to no focus on outgoing communications. This is the equivalent of locking your front door but leaving the windows wide open. 

Progessive IT leaders realize that data security cannot be the responsibility of employees. Yet despite this, only 18% of security professionals have their approach to risk and email security under constant review. 

And while training certainly does play an important role in preventing incoming attacks (think malware, phishing, general security best practice), people cannot be trained to avoid making simple mistakes. 

Often treated as a tick-box approach to compliance, studies show that training is effective for just four to six months before it must be repeated. In fact, we found that only 67% of employees have received security training in the past two years. Of these, 31% state they have not used their learnings in their core role, yet 76% of IT leaders think data security training alone will reduce email security risk. 

Add to the mix intrusive protocols, processes, and platforms, and it’s no wonder employees are feeling burdened by IT security:

• 50% say current security methods slow them down
• 47% say they felt more frustrated by network security measures when working from home
• 39% say IT teams are so paranoid about threats that it hampers them from doing their job

Evidently, our approach to training isn’t fitting the bill. Employees don’t have time to complete compulsory sessions and when they do, they aren’t truly benefitting from their learnings. 

23% of all reported incidents this year were the result of human error; 13% of all incidents were due to emails being sent to the wrong person. It is clear that training alone cannot protect organizations from data leaks. However, through a combination of real-time awareness training and smart technology, employees can be empowered to avoid these most common mistakes.

“Every colleague comes into work to perform their job to the best of their abilities, with knowledge and experience. For many people, the burden of security is regarded as an IT problem, and they simply want to follow existing processes without having to perform additional steps or access multiple technology tools. Their core skill set is not security but will follow company policies and procedures if it does not impact them doing their job. It is the responsibility of technology leaders to find frictionless tools which allow people to perform their work without impacting productivity.”  Stephen Khan, Global Head of Tech & Cyber Security Risk (former security exec HSBC)

Empowering security with intuitive tech

By now it should be clear that digital security is not a people problem - it is a technological one. Because only with access to the right tools can people protect the sensitive data they handle every day.

Our days have never been busier. Employees need to be free to focus without fear of causing a major data incident.

“(...) forcing users to change their behavior or to remember to encrypt important data is not going to work. However, the intelligent application of machine learning can automatically apply additional controls and simultaneously educate users about the information they are sharing and the risks that involves.” OMDIA Market Radar - Outbound Email Security

By operating silently in the background of your email client (Outlook, Gmail, or Microsoft 365), Zivver empowers employees to share sensitive data and large files without jumping through hoops, securing sensitive data:

• Before sending, with prompts to encrypt emails and act on potential errors 
• During transit, with advanced encryption and zero knowledge, zero access methodology (because we don’t hold your encryption keys)
• And after sending, with recall functionality users can rely on, MFA, the ability to manage access controls, and data logging

This email contains sensitive information

Zivver Smart Classification automates classification methods and triples the accuracy of security alerts by leveraging millions of data points to identify patterns in the body and attachments of emails. 

Zivver then classifies data according to the appropriate security levels and alerts employees to potential security hazards while emails are drafted. Employees can then apply advanced encryption to secure their data, apply MFA, expiration controls and more, to prevent data leaks and ensure compliance.

Simple for recipients

Email is user-friendly for everyone involved. So if your security solution is complicating processes for recipients, it isn’t truly working for your organization. Zivver doesn’t require recipients to create Zivver accounts to access secure emails. With MFA functionality, they can rest assured their data is being handled correctly - without having to jump through hoops to access it. Plus, you can even empower employees to send secure message into your organization, without creating accounts. That’s what we call effortless 

Simple for administrators

Controlling access to data and functions within a growing and changing workforce is no easy feat.  Zivver Synctool empowers truly effortless user provisioning by supporting complex identity workflows, including managing and delegating access to group or shared mailboxes, complex identity management scenarios, including employee email changes or managing users with guest accounts prior to the organization’s onboarding, managing administrator access from external parties in parallel to managing access for employees, and creating alias email addresses for users and shared mailboxes

Synchronization of changes can also be scheduled as an automated task that runs at the frequency the organization desired, to ensure that users and rights to mailboxes are provisioned and deprovisioned as soon as changes are made in the underlying source system. 

Has my email been received?

Say goodbye to inefficient couriers and fax machines and welcome in a new era of smart, secure proof of delivery for your most sensitive digital communications.

Zivver Prove empowers users to view, download, and print a Proof of Delivery or Proof of Receipt report for every message and file sent or received via Zivver. You can verify the status of your sensitive documents within your Zivver enabled email client (Outlook, Gmail) or via Zivver Web.

The magic of new generation digital communications security lies in its invisibility. Unlike traditional platforms, new solutions are disruptive only in the ways that matter, and work silently in the background of email clients to empower users with smart, right-sized functionality fit for businesses across every industry:

•   Effortless – Capable of operating within existing email tools intuitively, empowering your people to ensure security with a single (or no) click
•    Secure – Not just ‘good enough’ but has a high level of end-to-end data protection, with zero keys, zero access, unparalleled encryption and user authentication
•   Smart – semantic aware with tailored levels of data protection, along with machine-learning driven business rule-based error correction

Earlier generations of technology are not up to standard. They fail to keep pace in today’s modern working world, causing friction in everyday workflows. 

It’s up to business leaders today to empower employees with innovative technologies designed to affect a security lifestyle. In this way, enterprises can ensure true security sustainability, today and in the future.