The most common data security incident reported to the Information Commissioner’s Office (UK) for October to December 2024 was … unsurprisingly, misdirected emails. The frequency of using email for communicating with others, the ease of stumbling when using type-ahead addressing in Outlook and other email clients, and the frenetic pace of much office work means that it’s just too easy to choose the wrong person. Of the total incident count reported to the ICO, 21% were of this type.
There are email security add-ins that will alert users that something doesn’t add up in their communication, some of which we’ve written about in recent years. There should also be a necessary emphasis on training users to check and double check when adding someone to an email message or distribution list, but that’s not guaranteed to work in all instances.
The cost of getting it wrong is reputational mainly, although the extent of that cost and ancillary costs will depend enormously on the contents of the misdirected communication. Banal stuff … not so much. Corporate IP, confidential data, and data subject to privacy regulations … much more so. Excel spreadsheets with customer information – yes, that’s a problem. Mitigation wise, it depends on the nature of the information that people are sending and receiving, and the personal / corporate / national implications of getting it wrong. The higher the risk, the more layered a mitigation approach should be. And for very high risk situations, choose your tools extremely carefully.