CEO Interview: Demystifying the Human Layer, with Egress’ Tony Pepper
Thu 15 Oct 2020
Out of the 2376 data breaches reported to the UK ICO last year, 90 percent were caused by human error. Clearly, despite increased cyber awareness campaigns and untold time and money invested in cyber training, organisations are still struggling to shore up “The Human Layer”
Human Layer Security refers to the tools and practices required to protect sensitive data that employees and contractors handle as part of their day-to-day activities. It effectively refers to securing the activities of an organisation’s people and any other third parties staff may collaborate with to achieve their goals.
No one industry is more or less vulnerable to human-based incidents as almost every employee in every organisation has to share personal data or privileged corporate information on a daily basis. But the consequences are more severe in highly-regulated industries such as healthcare, financial services and banking, legal, and Government, all of which collect and share an abundance of personal data. Corporates risk damaging client relationships, legal proceedings and even share price if exposed.
As Tony Pepper, CEO at cyber security firm Egress explains, the reason the Human Layer has proven so difficult to plug, perhaps compared to the application layer, is that an organisation’s people are not 1s and 0s, but prone to mistake, error and misjudgement. “Human layer security is essentially about understanding that people put sensitive data at risk every day – often without meaning to,” he notes.
The most obvious frontier of Human Layer Security is Email. An email platform such as Outlook is the average employee’s most-used application. It is also the easiest way for an employee to make a SNAFU. According to an Egress study, an organisation of 250 employees will experience 180 incidents every year where sensitive data is put at risk due to outbound email. “That’s one incident every 12 working hours,” says Pepper.
While email platforms have some security protocols in place, they are generally geared to making it as easy as possible for a user to attach a file and dispatch it, maximising productivity with feature and user experience rather than measuring it with security controls:
“A common cause of email leaks is accidentally adding a wrong recipient because they’ve been suggested by Outlook autocomplete. That functionality was designed to make life easier by suggesting people you’ve recently sent emails to or received emails from, or those you email the most – but it also introduces risk that you’ll send an email containing sensitive information to the wrong recipient,” Pepper explains.
According to Egress’ research, this problem of emailing the wrong person is the primary cause of breaches – both because of spear phishing attacks (81%) and by accidentally adding the wrong person (80%). The next highest causes were attaching the wrong file (79%) and forgetting to use the Bcc field (76%).
Anyone who has worked at an organisation has their own cringeworthy anecdote of an Outlook-based error. While some employees face legal action or are fired, most escape with a slap on the wrist and some unwelcome embarrassment as the majority of errors are not serious.
However, all it takes is one serious incident to cause very real consequences for employers. When recently asked about their most damaging security incident caused by outbound email, 33% of CISOs said their organisation had suffered financial damages; 26% said they experienced reputational damage; and 26% were investigated by a regulator. “Organisations are experiencing an average of 180 incidents per year, but it only takes a small number of these to be classified as “serious” before your organisation begins to struggle from the impacts,” says Pepper.
The chief problem when it comes to email security is that CISOs are not aware of incidents until it’s too late. People-based reporting – when senders, recipients or other colleagues alert senior staff to an email data breach is patchy, incomplete and unreliable. The evidence suggests that the first port of call needs to be a cultural shift towards greater transparency.
“In the first instance, the people involved have to notice that it’s happened and then they have to be willing to report on it,” Pepper says. “And research shows that they’re probably not going to say anything if they think they don’t have to. It’s just human nature. Some people are afraid of disciplinary ramifications, some don’t want to rock the boat or get other colleagues in trouble, and others just don’t realise the risk.”
Often when an incident comes to light, it is just the tip of the iceberg. This is why Egress wants to show how technology can replace people-based reporting and bring some simple and stable transparency to Human Layer incidents.
The company recently launched a free email analyser that quantifies the number of email incidents that have occurred in an organisation over the last 12 months which were caused by misdirected emails, data loss prevention violations and unverified transport layer security. “As with any security risk, once you fully understand its scale, you can make sure you’re taking all necessary steps to mitigate it,” explains Pepper.
Once an organisation has a clearer picture of what’s taking place under their roof, Egress’ proprietary email security platform might be a no-brainer. Features include “contextual machine learning” to detect when employees are about to accidentally or intentionally leak data; certified email encryption that can be automated based on the level of risk to sensitive data, and powerful reporting tools so organisations can ensure ongoing security and compliance.
Do you have a handle on your Human Layer? Or are your best people also the greatest risk factor in your organisation’s security architecture?