According to a study by IBM, 95% of all security incidents involved human error.
Last week we discussed email security from the perspective of network security – or security related to the journey of email from sender to recipient. This week we’ll discuss security issues that arise due to human behaviour – how the way we treat and interact with email can create significant security vulnerabilities. In fact, while many people are afraid of attack by a hostile external party, the most common data security incidents arise due to human error from someone internal to the company. Firms can take proactive steps to prevent external attack but it is very difficult to prevent unintended human error. And according to a study by IBM, 95% of all security incidents involve human error.
The first of those human errors is selecting the wrong recipient to an email – a trivial but very common error with potentially significant consequences. While generally harmless (although sometimes embarrassing), misaddressed emails led to 13 of the 32 major security breaches that occurred in the legal industry and reported to the UK’s Information Commissioner’s Office in 2017 (another 5 breaches were due to misaddressed letters or faxes). Other human errors that led to a breach included leaving data in an unsecured location and failing to redact data. Lawyers have a duty of confidentiality to their clients so misaddressed emails should always be a concern when dealing with client information and should be especially concerning when the email includes transaction documents.
The next common human error is accidentally participating in a phishing attack distributed through email. This human error can be difficult to avoid as these scams are becoming more and more sophisticated. Phishing occurs when a malicious external party sends an email purporting to be from a legitimate organization requesting information for a valid purpose. The victim provides this information, which is generally confidential in nature, thinking that the email is legitimate. The attacker then receives this information and uses it for malicious purposes. These phishing emails can look extremely professional and convincing. While there are technologies that exist (such as Mimecast) that automatically analyze emails to determine their authenticity, the best practice is to undertake training regarding email security and to be suspicious of requests for information that are not coming from trusted contacts. In fact, most services will never ask you to email or provide your password so emails asking for such information should be flagged.
Corporate transaction management platforms allow you to share documents with your client in a secure environment that does not require email. With dealcloser, your clients have a safe and secure environment to review all of their transaction documents without the need to use email. There is no risk of misaddressing an email and accidentally sending confidential transaction documents to the wrong person. Your client simply logs onto dealcloser and can then easily access each document.