Editorial

Egress: Blame culture a problem for data breaches

Egress research shows employees being punished and even fired for email-based security errors

Posted 5 October 2020 by

Employees shouldn’t be punished for accidental data breaches.

That’s according to a new survey that highlights the scale of data security risks related to email use. Ninety-three percent of IT leaders say their organisation has suffered data breaches through outbound email in the last 12 months. On average an email data breach happens approximately every 12 working hours.

The most common breach types were replying to spear-phishing emails (80 percent); emails sent to the wrong recipients (80 percent); incorrect file attachments (80 percent).

The 2020 Outbound Email Data Breach Report from Egress states: “Blame culture deeply impacts data breach reporting. It makes sense: If you think you’re going to be reprimanded for something, you’re less likely to come forward about your or others’ mistakes. Of course, there has to be accountability – but at the same time, this has to be proportionate to the incident that’s taken place. We should limit punishments for genuine mistakes, while at the same time, working to ensure it doesn’t happen again.”

In nearly 50 percent of incidents the individual responsible for the breach received a formal warning. Perhaps even more surprisingly, on an average of 27 percent of occasions, the employee was fired.

This backs up recent research which found that more than four in 10 organisations take disciplinary action against staff who make cybersecurity errors.

“In a climate where these instances are obviously happening an awful lot, you really want to drive trust and openness that that you can work with your staff and support them,” said Daniel Hoy, VP corporate marketing at Egress.

“Because in most cases, as our research speaks to, this isn’t malicious intent. This is people trying to do their jobs to the best of their abilities. But humans are fallible and make mistakes, and to reprimand them in that way drives absolutely the wrong message to those individuals.”

The results, said Hoy, is the employee thinks: “’Crikey, I’ve made an honest mistake, but I’m not going to tell anyone. I’m going to try and cover my tracks because I’m fearful for my job.’ And that absolutely breeds the wrong kind of culture in organisations.”

Indeed, given the harsh penalties, it is not guaranteed employees will own up, especially if the incident is serious. When an outbound email data breach happens, 20 percent of IT leaders said they would be alerted by the email recipient, 18 percent felt another employee would report it, while only 24 percent said the employee who sent the email would disclose their error.

Increase in email traffic

Moreover, rising outbound email volumes due to COVID-19-related remote working and the digitisation of manual processes are also contributing to the risk. 94 percent of respondents reported an increase in email traffic since the onset of COVID-19 and 70 percent believe that working remotely increases the risk of sensitive data being put at risk from outbound email data breaches.

When asked to identify the root cause of their organisation’s most serious breach incident in the past year, the most common factor was “an employee being tired or stressed”. The second most cited factor was “remote working”.

“More emails mean more mistakes, and a greater likelihood of more of these types of breaches,” said Hoy. “Working from home means lots of potential distractions, people who are more stressed and probably working longer hours, because that kind of work life balance is blurred a little bit. People are even more likely to make mistakes.”

The research also found that 16 percent of those surveyed had no technology in place to protect data shared by outbound email. Where technology was deployed, its adoption was patchy: 38 percent have Data Loss Prevention (DLP) tools in place, while 44 percent have message level encryption and 45 percent have password protection for sensitive documents. However, the study also found that, in a third of the most serious breaches suffered, employees had not made use of the technology provided to prevent the breach.

“Technology has a responsibility to better support employees and to invest in technologies to better help employees. So when you are rushing, you get a prompt that suggest you might be about to send something to the wrong person, or to a Hotmail account, when that’s not something you normally do,” said Hoy.

“My hope is that they show far more openness and change those cultural, blame game approaches, and invest more in some of the tech to try and mitigate the risks.”