While we tend to think of breaches by insiders as an employee intentionally stealing data, the truth is that most insider breaches occur when employees accidentally send email containing customer or other sensitive information to the wrong person. This most often occurs when email application autocomplete features “help” the employee by suggesting names as they are typed. This week we look at ways that you can at least minimize the likelihood that this will occur in your institution.
- Don’t Send Sensitive Information: The easiest way to avoid sending sensitive data to the wrong person via email is simply to stop sending sensitive data altogether via email. While there are times this is not feasible, in most cases there are other alternatives that are more secure. One alternative is to email a link to a secure portal, as long as the portal requires an administrator to manually configure access (If access is automatically configured, the email recipient will still be able to access the sensitive data).
- Disable Autocomplete: Most email clients provide the ability to disable autocomplete. Doing so will inconvenience employees but will greatly reduce the likelihood that an email will be sent to the wrong person. If your institution utilizes multiple email clients, be sure to implement this control on each client.
- Configure Warnings: Some email clients allow the configuration of warnings when sending to an outside recipient. This will at least act as a reminder to verify the recipient is the correct person.
- Data Loss Prevention: Some Data Loss Prevention (“DLP”) products can require approval before sensitive data can be sent. Configuring this provides one additional review of who the recipient is before the message leaves the organization.
Bedel Security helps financial institutions identify information security controls for many different threats. Even the ones that may occur by accident. If you'd like a fresh set of eyes to take a look over your controls to make sure you're not missing anything, reach out to us at support@bedelsecurity.com.