As one of the most frequently exploited entry points into a company, email poses a major threat to data security. Whether it’s data in the user’s inbox, shared mailboxes, access to drives or third-party systems such as CRM platforms, the inbox can serve as the starting point for many breaches.
An email breach is a gateway to your company’s data
One such case involved a law firm compromised via an Outlook email account. The attacker was then able to redirect payments intended for beneficiaries in a probate matter.
This is why a strong security posture that starts at the inbox is not only essential for overall security but also directly supports your company in meeting its GDPR obligations.
However, this is not a challenge that can be solved by technology alone. It needs the right tools combined with well-trained users, working together in a coordinated approach to email security.
Humans are the biggest source of breaches — start there
An estimated 90% of security breaches are caused by human error, so the biggest area of improvement starts there. With email threats becoming more sophisticated and targeted, it’s more important than ever that users know what to look out for with phishing attacks.
Datatilsynet, Denmark’s data protection authority, reports similar findings, attributing more than 80% of recent incidents to human error. Of those, phishing was the top cause of breaches.
This makes it clear that a good defence starts with your users:
- Train them effectively. Once-a-year, tick-box compliance isn’t enough. Training needs to be up to date, engaging and delivered regularly. Tools that can automate training and deliver content that sticks will allow users to better navigate the threats facing their inboxes. Back it up with quizzes to test their retention and spot areas of weakness.
- Put the training into action. Create phishing simulations that move beyond theory and see how users react to phishing attempts in their inbox. See which attempts may have tricked users and identify gaps in training so you can strengthen your response.
- Report and adapt. The larger the organisation, the more data you can draw upon. Identify trends, monitor test scores and see what’s tripping up users in the real world. It isn’t just a useful source of actionable information — it also demonstrates a culture of training and clear processes, both of which are required for directives such as NIS2.
Good data habits underpin GDPR compliance
In addition to training users to identify threats, embedding GDPR principles into everyday behaviour is critical. This helps prevent issues before a phishing attempt leads to an incident.
For GDPR, it’s worth reinforcing certain behaviours when it comes to data specifically. It’s a company asset and should be treated as such.
Every second counts during a breach. Good data habits can mitigate some of the effects of an attack and, at the very least, slow exposure during an incident.
- Encourage use of corporate systems. Data often ends up scattered across spreadsheets, paper records and personal storage. This makes it harder to secure and manage. Ensure users use company-approved tools such as CRMs, marketing systems and ticketing tools to store their data.
- Never send sensitive data via email, even internally. Even internally, email creates persistent copies that are difficult to control. Store data in centralized systems such as CRM platforms or SharePoint. When sharing externally, use controlled sharing mechanisms that allow access to be monitored and rescinded. Internally, encourage sharing from SharePoint or OneDrive. Any data that is temporarily stored for a specific purpose should be deleted once its objective has been completed.
- Use retention policies where appropriate. On a corporate level, you can set data retention policies while also giving users the ability to manually limit email lifespan. If an email has sensitive information for a short-term purpose, encourage users to set a stricter retention policy themselves on the sent email.
The best breach attempt is one that never reaches the inbox
You’ve trained your teams, delivered training and created your reports. However, stopping phishing attempts from even reaching a user’s inbox should remain the first line of defence.
At London’s Kaseya Local Connect event, MSPs took to the stage to discuss how the evolving threat from emails was, thanks in large part, due to AI. However, they also emphasized that AI is equally important in defending against them.
AI can offer conversation analysis that understands the intent of an email, QR code scanning to find hidden URLs and scan them, machine-based learning to identify previous spam and phishing emails and adapt on the fly to future incoming emails.
You can also give users a helping hand on a regular basis by categorising emails and their risk level, helping users keep security top of mind with every message.
Failures can be costly
Organisations can be fined up to 4% of annual global turnover or €20 million (or £17.5 million) for breaching GDPR. The reputational damage can also be devastating.
Email security is just one strand of GDPR compliance, but a critical one. In a Kaseya study, 56% of SMEs said they had been impacted by phishing messages, with 40% citing prior business email compromise (BEC) incidents. Against that backdrop, a GDPR breach becomes increasingly likely.
Whether you are a company looking to improve its GDPR and NIS2 compliance, or an MSP providing services to your customers, your priorities are somewhat similar. Manual processes aren’t enough, and you can’t solely rely on just human behaviour or just technologies.
A combined approach is essential. At every stage, you should look to automate your training, reporting and threat detection ability to ensure the technology part of your approach is performing properly as part of GDPR compliance.
