Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

The Financial Services sector is one click away from disaster

By Andrea Babbs, UK General Manager, VIPRE SafeSend

From regulatory compliance to safeguarding Intellectual Property (IP), financial services organisations are increasingly concerned about the risk of inadvertent data loss as a result of employee mistakes. And for good reason: with so much communication reliant upon email, human error is now the primary cause of data breaches. Indeed, growing numbers of organisations have introduced a ‘one strike’ policy; accidentally sending an email to the wrong person, or adding an incorrect attachment, has become a sackable offence.

While understandable, to a degree, this is hardly a supportive strategy. Humans make mistakes – and stressed, tired employees will make even more mistakes. Adding the pressure of losing your job, is potentially counterproductive. Employees already spend almost two days of each working week reading, deleting, responding to and creating emails – what they need is a way to avoid mistakes, a chance to check before they send.  Andrea Babbs, Head of Sales, VIPRE SafeSend, explains how a simple second check for users will help to keep personal and sensitive data more protected with a layered approach.

Employee Threat

Business reliance on email is creating a very significant cyber security risk – and not simply due to the increasing volume and sophistication of phishing attacks. Email is the number one threat vector in organisations and the cause of nearly all data breaches, as confirmed by the Identity Theft Resource Center. It will come as no surprise to those who have experienced the stress and fear of mistakenly sending an email to the wrong person, or adding the wrong attachment, that the Center’s March 2019 breach report[i] cited employee error as the number one cause of data breach or leakage.

Given the sheer volume of email, mistakes are inevitable. According to McKinsey, the average worker today spends nearly a third
 of their working week on email[ii]. Employees are increasingly trusted with company-sensitive information, assets, and intellectual property. Many are permitted to make financial transactions – often without requiring any further approval.  Given the data protection requirements now in place, not only GDPR but also industry specific regulation as well as internal compliance, organisations clearly require robust processes to mitigate the risk of inadvertent data loss.

But is a strategy that simply imposes stringent penalties – including dismissal – on employees for mis-sent emails without providing any form of support going to foster a positive culture? What employees require is a way to better manage email, with a chance for potential mistakes to be flagged before an individual hits send.

Imposing Control

While financial services organisations now recognise that any employee, at any time, is a cyber security threat, few recognise that there is a solution that can add a layer of employee security awareness. financial services organisations can help employees avoid simple mistakes, such as misaddressed emails, by providing a simple safety check. Essentially, before any email in Microsoft Outlook is sent, the user gets a chance to confirm both the identity of the addressee(s) and, if relevant, any attachments. Certain domains – such as the company and/or parent company – can be added to an allow list, if the business is happy for users to email internally without checking. Or the solution can be deployed on a department by department, even user by user basis.  A business may not want HR to be able to mistakenly send sensitive personal information to anyone internally and therefore require a confirmation for all emails. Similarly with financial data, even marketing data at certain times – such as in the run up to a highly sensitive new product launch.

In addition to confirming the validity of email addresses and attachment(s), the technology can also check for key words within the email. Each business will have its own requirements – in addition to common terms such as confidential or private, or regular expressions to cover broader terms such as credit card numbers or National Insurance numbers, a company may opt to set key product ingredient names as key words to prevent data loss. Any emails – including attachments – containing these key words will be flagged, requiring an additional confirmation before they are sent, and providing users a chance to double check whether the data should be shared with the recipient(s).

Reinforcing Good Practice

This simple chance to check before you send provides an essential opportunity to minimise accidental data loss, whilst reinforcing compliance credentials. Accidentally CCing a customer rather than the similarly named colleague will be avoided because the customer’s domain name will not be on the allow list and therefore automatically highlighted. Appending a confidential marketing document to an email, rather than a product list, will be flagged. And with a full audit trail, the IT security team has full visibility of the emailing decisions made by employees.

This is key: rather than an overtly punitive approach, financial services organisations can reinforce a security culture, building on education and training with a valuable tool that helps individuals avoid the common email mistakes that are inevitable when people are rushing, tired or stressed. It provides an essential ‘pause’ moment, enabling individuals to feel confident that emails have been sent to the right people and with the right attachments.

Indeed, in addition to providing a vital protection against email mistakes, this approach can also help users spot phishing attacks – such as the email that purports to come from inside the company, but actually has a cleverly disguised similar domain name. If an employee responds to an email from V1PRE, for example, as opposed to VIPRE, thinking it genuinely comes from inside the business, the technology will automatically flag that email when it identifies that it is not an allowed domain, enabling the user to cancel send and avoid falling for the phishing attack.

Conclusion

Accidental data leakage is a significant yet apparently inevitable risk when business communication is so reliant upon email – with serious implications of reputational damage, IP loss, compliance breach and the associated financial costs. When it comes to minimising such errors, user education is important. Email culture is essential. But there is only so much humans can do.

Providing a technology that alerts users when they are potentially about to make a mistake – either by sending an email to the wrong person or sharing potentially sensitive information about the organisation, its customers or employees – not only minimises errors, it helps to create a better email culture.  The premise is not to add time or delay in the day to day management of email; it is about fostering an attitude of awareness and care in an area where a mistake is easily made.

By enabling users to make an informed decision about the nature and legitimacy of their email before acting on it, organisations can now mitigate against this high risk area, while reinforcing compliance credentials.