5 reasons financial services must re-evaluate security training

Human error is the leading cause of data loss events; this is widely acknowledged today. It’s time to leverage technology to arm employees with the skills and knowledge they need to be your organisation’s greatest defence, rather than your weakest link.

Accidental data leakages caused by people – emailing sensitive information to the wrong person, for example - can be avoided, but only when staff are provided with the appropriate digital tools and training. (Note: It’s also important to utilise a thorough and precise audit of outbound email activity should the worst happen.)

Revealing the extent of the threat, here are the top five reasons why your data loss prevention (DLP) strategy must prioritise real-time awareness training and innovative user-friendly tech to be truly effective:

Reason #1 – Email is here to stay

Portals, file sharing platforms, or data rooms are no replacement for email. In fact, since the outbreak of the coronavirus pandemic, we’re relying on email more than ever. With more than 300 billion emails sent each day, mistakes are inevitable – and it only takes one error for a major breach to occur. So, how can email go wrong?

• Accidentally hitting ‘reply all’ (instead of ‘reply’)
• Using ‘Bcc’ incorrectly
• Inputting the incorrect recipient
• Spelling errors
• Adding the wrong attachment
• Replying to a phishing email

Even more concerning is that around 29% of financial service employees have admitted to clicking on a phishing email at work. Consider the number of emails an employee might send every day, with each having a risk of data loss attached. Now scale that up across hundreds or even thousands of employees; it’s fair to say that outbound email leaves a lot of room for error.

Traditional security training not only skips human error-caused issues but simply does not meet the needs of every single employee. That’s why training in real-time – to secure outbound emails and teach best practice – is the most effective solution today.

Reason #2 – Emails remain at risk in transit

Financial services companies need to ensure emails are sent safely and securely with the right encryption methods so that they (a) aren’t intercepted and (b) reach the right destination. Around 12% of emails were sent unencrypted in 2020, according to Google’s Transparency Report - a huge issue for a sector built on highly sensitive personal and financial data.

Standard encryption methods don’t always do enough to prevent the possibility of data being intercepted. The basic security measure, STARTTLS, for example, attempts to deliver the email encrypted but, if this isn’t possible, will either deliver it unencrypted or fail to deliver it at all.

Reason #3 – Third parties can still access financial info

Equally critical is the issue of who holds the key that can unlock that data. If it’s anyone other than the sender and their intended recipient, the data isn’t truly secure.

When scouting for an email security solution, it is vital to establish whether the provider holds the encryption keys. (Note: Widely used email security products – including Microsoft 365’s Outlook and Gmail – retain access to your keys.) If they do, they can access your data - and so can any hacker who accesses their servers. To guarantee data privacy, it’s an important aspect of your email security to prioritise.

Reason #4 - Your current solution might not do everything you think it does

Outlook, for example, may allow users to set DLP rules that scan emails for sensitive information - but often these are too rigid and aren’t dynamic enough to react to changing circumstances, such as the global shift to hybrid working.

In addition, most “traditional” email security platforms protect against inbound and malicious security threats only, prompting IT and security professionals to assume that data incidents resulting from human error are unavoidable. This misconception is where the real issue lies.

Reason #5 - If you can’t recall an email, you can’t prevent a data leak

The world’s two leading email clients still don’t enable users to recall emails sent in error. Microsoft 365’s Outlook will only allow users to recall an email if the recipient is using the same cloud-based Outlook app and hasn’t already opened the email; Gmail gives users the opportunity to ‘unsend’ an email, but only if the sender clicks the button in under 30 seconds.

Email recall is more than just a handy function for employees; in the instance when it all goes wrong, it’s vital to be able to redact an email without jumping through multiple hoops.

Transform your weakest security link into your greatest defence

Today, financial services organisations can transform their weakest security link – that is, their people – into their greatest defence. The solution is real-time awareness training to instil best practice, without interfering with employees existing workflows or processes.

Zivver observes the content of emails as they are being prepared, helping staff to catch mistakes before they happen. Automated notifications alert users to potential security errors (incorrect recipients, misuse of ‘Bcc’, missing attachments, confidential information, etc.) - so they can act wisely before pressing ‘send’.

Users maintain control after sending, with the ability to redact (quickly and effectively, with no stipulations), set expiration periods, and apply two-factor authentication (2FA) rules to ensure information security.

The reality is, while email is universal, reliable, and easy, it is also often very difficult to secure. By applying real-time security awareness training alongside a layer of user-friendly technology, finance and insurance firms can optimise the security of their outbound email, preventing data leaks caused by human error and implementing a culture of email security as standard.