NHS Highland was recently penalised for a data breach that exposed the personal email addresses of individuals invited to use HIV services. The health board mistakenly used carbon copy (CC) instead of blind carbon copy (BCC), exposing email addresses to all recipients.
The Information Commissioner's Office (ICO) deemed this mistake a "serious breach of trust”. Due to the severity of the incident, the ICO issued a reprimand to the health board, rather than imposing a £35,000 fine. Stephen Bonner, deputy commissioner for regulatory supervision, emphasized the need for organizations handling such sensitive information to exercise the utmost care with personal data. NHS Highland acknowledged the ICO's findings and is taking measures to prevent a similar incident from occurring again.
Unfortunately, this is not a rare occurrence. According to the ICO, improper use of BCC ranks consistently among the top 10 non-cyber related causes of data leaks, with approximately 300 cases reported each year.
Training does not prevent human error
It is no secret that human error is the leading cause of data leaks. In an effort to prevent mistakes, organizations resort to compulsory training, investing in awareness programs and training sessions to familiarize employees with security best practices and procedures.
However, research shows that training alone has limited effectiveness. In a recent survey, we learned that 33% of employees indicate that they learned nothing from cybersecurity training. Moreover, 31% of employees had not received any training within the last year.
Naturally, training does little to prevent human error. People will still make mistakes, especially when under time pressure or faced with information overload.
How to prevent data incidents caused by human error
To effectively prevent employees committing those small mistakes with the biggest consequences, organizations need to go beyond traditional cyber security training. Busy people need to be supported at the moment incidents are most likely to occur. We call this decision support.
Powered by advanced machine learning, Zivver reads emails as they are drafted and notifies the user to potential errors, making recommendations on the best course of action. When sending emails to large groups of recipients, for example, Zivver automatically recommends the use of BCC, empowering the employee to avoid a data leak before pressing ‘send’.
Through seamless integration with Gmail and Outlook, Zivver operates silently in the background, intervening only when it truly matters and allowing employees to work smoothly without unnecessary interference (from pop-ups or reply-all emails) or changes to their familiar workflows.
A proven addition to cybersecurity programmes, Zivver prompts employees to consider the data they are sending and to whom, growing an organization-wide security minded culture.
Zivver prevented 3 BCC errors per organization on average in 2022
Over 7,000 organizations avoid the leading causes of data leaks with Zivver, with approximately 6,000 organizations utilizing Zivver’s BCC rule. According to analysis, Zivver prevents 1,500 BCC errors every month - that’s an average of three BCC-errors prevented per organization every year.
Not only does this demonstrate the effectiveness of in-the-moment error prevention; it serves to highlight that the 300 data leaks caused by ‘failure to use BCC’ reported to the ICO are very likely to be just the tip of the iceberg.
In our mission to empower organizations to enhance their email security, we are offering free activation of the BCC rule to our current customers. To learn more, contact your customer success manager.
To learn more about our data loss prevention solutions, get in touch.
Last updated - 15/06/23