Please fill in the form below to subscribe to our blog

Employees & Email Are a Data Security Disaster Waiting to Happen

June 16, 2022

Email + Employees = The Biggest Threat to Data Security Businesses Face


Businesses are being inundated with threats to their data security as cybercriminals hunt for fresh stores of data to peddle in the booming dark web data markets. With cybercrime numbers rising every day, it may seem like bad actors are the biggest threat to data security that a company will encounter. But that’s not the case. The biggest threat to data security that a company faces every day is actually a lot closer to home: its employees. Human actions lead to most data security incidents, but companies can mitigate the risk of a data exposure nightmare without breaking the bank. 


See real data from phishing simulations & dark web analysis trends to watch in The Global Year in Breach 2022. DOWNLOAD IT>>


What Challenges Do IT Teams Face When Contending with Data Loss Through Email?


The leading case of a security breach of any kind will always be human beings. Nearly 60% of organizations in a recent Ponemon Institute study said that they have experienced data loss or exfiltration incidents caused by an employee data handling mistake using email in the last 12 months. Other channels that have also led to data loss because of employee mistakes include cloud file-sharing services (62%) and instant messaging platforms (57%). Drilling deeper, almost one-quarter of businesses studied said that they experience a security incident caused by employee email handling every day.   

Having a practiced incident response plan is essential because this kind of data loss can be a challenge for IT teams to find. Discovering an email-related data security incident is slow. It takes security teams an average of about three days to detect and remediate a data loss and exfiltration incident caused by a malicious insider via email, and almost 48 hours to detect and remediate an email-related data security incident caused by a negligent employee. What makes preventing this kind of data loss so challenging? A lack of visibility of sensitive data that employees transferred from the network to personal email is the most common barrier (54%) to preventing data loss. 


Can you spot a phishing message? This infographic points out red flags to watch for to sniff them out! DOWNLOAD IT>>


What Are Some of the Reasons Why Employees Mishandle Data? (H3)


Getting employees on board with security policy compliance and getting them to practice smart data handling behavior can be a challenge. Many employees don’t have a clue about the importance of their behavior in maintaining security, let alone the importance of maintaining strong security around data. Employee failure to follow security policies is the culprit in an estimated 40% of data losses. That’s often the consequence of poor or little employee security awareness training. An estimated 45% of respondents in a HIPAA Journal survey said that they don’t need to worry about cybersecurity safeguards because they don’t work in the IT department. That’s not just a data security problem, it’s a gateway to a cybersecurity disaster

When considering data security risks, it’s also important to keep an eye out for malicious insiders as a source of data loss. A little over one-quarter of data loss in this study could be attributed to malicious insiders. A company’s proprietary data like customer records, formulas, blueprints, source code, playbooks, budgets, job bids and other corporate secrets can do a lot of damage in the wrong hands, and it can also sell for a lot of money on the dark web. It takes security teams up to three days to discover and stop a malicious insider data theft incident that involves email. The more privileged the employee, the longer it can take (and the more damage they can do).

Employees that have recently left an organization or who have been terminated are a major data security threat, and they’re highly likely to send themselves data via email on their way out.  An estimated 45% of employees download, save or send work-related files before they leave their job. This happens most frequently in the tech, financial services, business consulting and management sectors. They’ll take everything from client lists to trade secrets. Employees are most likely to steal data like intellectual property within 90 days of their resignation, with 70% of insider intellectual property thefts taking place in that window.   


Go inside nation-state cybercrime to get the facts and learn to keep organizations safe from trouble! GET EBOOK>>


What Types of Data Are Lost or Stolen Through Email?


Data of every kind can be lost or stolen through email, even data that you’d think that employees would recognize as something to handle with care. However, 73% of organizations are concerned that employees do not understand the sensitivity or confidentiality of data they share or handle through email. Researchers pointed to user-created data (sensitive email content, text files, M&A documents), regulated data (credit card data, Social Security numbers, national ID numbers, employee data) and intellectual property as the three types of data that are the most difficult for companies to safeguard.  

 The Top 3 Types of Data Stolen or Lost Via Email 

% of data loss incidents
Customer information61%
Intellectual property56%
Consumer data47%

Source: Help Net Security

The Top 3 Riskiest Departments for Data Security Via Email 

% of data loss incident attribution
Marketing and PR61%
Production & Manufacturing58%
Operations57%

Source: Help Net Security


security awareness training cuts costs represented by a bright blue-white digitized dollar bill on a red, white and navy background of computer code

Stop cyberattacks & save money: See why security awareness training is your best investment. DOWNLOAD NOW>>


What Are the Consequences That Companies Face?


Data loss or exposure through email can have some major consequences for businesses. Businesses cited non-compliance with data protection regulations (57%), loss of reputation (52%) and loss of a customer (29%) as the most damaging result of a data loss incident. Data security noncompliance can be punishingly expensive. For a HIPAA violation, a company could be looking at penalties ranging from $100 to $50,000 per violation (or per record). A GDPR penalty could set a company back up to 4% of its annual global revenue or 20 million euros ($22.8 million). A company in breach of PIPEDA requirements can be fined up to $100,000 for each violation

This is a recipe for disaster. Email is not only the top channel for data security danger. It is also the top route by which a cyberattack will reach a business. Email security has never been more important to prevent a cyberattack as phishing rates skyrocket. In fact, phishing aimed at businesses hit an all-time high in Q1 2022, with more than one million attacks in a quarter recorded for the first time. The vast majority of today’s most devastating cyberattacks like business email compromise, account takeover and malware or ransomware all tend to start with a phishing email. That makes safe email handling by employees a security must-have for businesses. 


Are your users ready to handle all of the risks they face daily? Make sure you’ve covered all the bases! GET A CHECKLIST>>


Mitigate Data Security Risk Simply & Affordably


Despite these risks, organizations do not have adequate training in place. While 61% of organizations say that they conduct security awareness training, only about half of them have programs that educate employees about the sensitivity and confidentiality of the company’s data. Failure to invest in security awareness training is a major barrier to security and compliance success. It’s overwhelmingly apparent that security and compliance awareness training works – and companies that engage in regular security awareness training have 70% fewer security incidents

BullPhish ID is the ideal security and compliance training solution for businesses of every size, with all of the must-have features that make training a snap for training administrators and employees.   

With BullPhish ID you:  

  • Get at least four new training videos and fresh phishing kits added every month to keep training current.  
  • Simplify compliance training with video lessons that make complex requirements easy to understand.   
  • Train your way and on your schedule with plug-and-play phishing simulation kits or customizable content that can be tailored to fit your industry’s unique threats.   
  • Offer training in eight languages: English, Dutch, French, German, Italian, Portuguese, Spanish (Iberian/European) and Spanish (Latin).   
  • Leverage in-lesson quizzes and simple, easy-to-read reports to see the value of training and know who needs additional support.    
  • Simplify the training process and make it convenient for every employee with a personalized user portal.    
  • Automatically generate and send reports to stakeholders.   

Want to learn more about security awareness training and how BullPhish ID can help secure your company and save you money? Explore the benefits of training with BullPhish ID today. 


Our partners typically realize ROI in 30 days or less. See why nearly 4,000 MSPs in 30 countries choose to grow with ID AGENT solutions and support. BECOME A PARTNER>>



let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!

LEARN MORE>>


Is your password compromised? Find out in seconds!

USE OUR PASSWORD COMPROMISE CHECKER>>


Book your demo of Dark Web ID, BullPhish ID and Passly now!

SCHEDULE IT NOW>>