Email security is broken: How finance firms can plug the gaps and prevent costly data leaks

When speaking to IT professionals in the finance sector about email security, they are often unaware that the majority of data leaks are caused by employee behaviour. Latest security incident reports from UK privacy regulator the Information Commissioner’s Office (ICO) quantify the extent of the problem. Its Q3 and Q4 figures show that from 1 October 2020 to 31 March 2021, 60% of data leaks reported by finance, insurance and credit firms were caused by a non-cyber security incident: ‘Data emailed to incorrect recipient’, ‘Failure to redact’ and ‘Failure to use bcc’, for example, all three being human errors. This is in stark contrast to the common misconception that phishing and hacking are the main causes of data leaks.

Weak passwords and lack of two-factor authentication exacerbate outbound email’s security vulnerabilities, increasing the threat of unauthorised data access still further. Yet many companies believe their email is adequately secured, and that information shared by employees in an ad hoc manner, using a technology protocol that is over 50 years-old, is safe. It is this lack of awareness, combined with the latter misapprehension, that leaves many organisations vulnerable to a data breach.

Failure to combat human error and fortify email security can specifically result in:

• Diminished reputation: Over 85% of consumers state they won’t work with a company if they have concerns about its security practices.
• Compliance fines: The General Data Protection Regulation (GDPR) has set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements of their data privacy legislation.
• Financial loss: The cost of a data breach has risen 12% over the past five years to a global average of £2.8 million.
• A Financial Conduct Authority (FCA) fine or custodial sentence: There has been a steady increase in fines against individual defendants as opposed to firms, in line with the theme of individual accountability. In 2018, for example, the FCA fined the CEO of Barclays £321,000.

So what can be done to address email’s extensive security shortfalls?

Applying strong encryption and strong authentication will significantly improve the protection of sensitive information sent via email. Doing so, however, is increasingly a challenge for the multitude of organisations moving towards the cloud, and using email systems like Office 365 Outlook and Gmail, as those systems don't offer the encryption that guarantees only the sender and recipient have the keys to access information. (We’re one of the few email security companies in the world that doesn’t have access to our customers’ decryption keys.)

Protecting the confidentiality and integrity of email messages

The very data financial services firms are built on is what makes them the most vulnerable. In fact,

access to personal information and sensitive financial data means that the finance industry suffers the highest penalisations and costs from data breaches. It has, therefore, never been more crucial for financial institutions to close all communication security gaps and overcome the day-to-day mistakes made by employees.

A good first step for finance and insurance firms is to employ the services of a trusted IT partner – ideally a specialist in email data protection – to identify all pre-existing email security gaps, some of which are, most likely, outlined above. By achieving a bird’s eye view of the digital communication approach used by every department, job role and individual employee, it will then be possible to set about fixing the shortfalls in outbound email security once and for all.

Companies we work with include UK mortgage lender Paratus AMC and international financial services company Achmea, helping them to securely send digital information to their customers and prospects, while also ensuring compliance with ever-changing data protection regulations such as the DPA 2018 and GDPR. This approach not only prevents financial penalties from regulators including the ICO, but also preserves brand reputation and customer trust.

Strike the right balance between security and usability

To secure communications with the greatest efficacy, organisations need to strike the right balance between security and usability; providing employees with the right tools to prevent accidental data leaks. Easy to use security solutions that are intuitive and seamlessly embedded into everyday working lives, will enable even the non-tech savvy employees within an organisation to participate in cybersecurity efforts. Our email data protection technology, for example, adds a security and privacy layer on top of existing email systems, such as Outlook (desktop and Microsoft 365) and Gmail – ensuring that staff don’t have to change their usual way of working. 

Financial services firms should strive to become enablers; ensuring that the secure outbound email technology they deploy is security compliant, integrates into existing workflows, that it is familiar and intuitive for the people using it, as well as intelligent in helping people to make better and safer decisions.

It is our belief that employees are not risks to be mitigated, but key assets to be enabled. When employees are equipped with the right digital tools and understand how their behaviour impacts the frontline of email security, they become much more efficient at detecting scams, preventing data breaches, and protecting sensitive information.