“The State of Email Security 2019” – Email-Borne Threats Lead Directly to Data Loss

When digital data or sensitive content falls into the wrong hands, it really is lost for good. The role of email in such loss events are a key part of the recently released "The State of Email Security Report 2019" from Mimecast.

Due to its digital nature, data can’t reliably be put back, particularly if it has fallen into the hands of a cybercriminal versus it just being accidentally mishandled. Cybercriminals generally only need seconds or minutes to replicate and move stolen data to places and into forms where it can’t be recovered. All you can do at that point is to do your best to cleanup and mitigate the damage.  And the damage of data loss can really hurt.

The Pain of Data Loss Comes in Waves

In the first wave there is the immediate pain of leak discovery, system downtime, and the associated cost and disruption of the preliminary investigation. Like a lot of bad news, data loss discovery rarely comes at a good time, if there is ever such a thing as a “good time” to receive bad news.

For many of the people involved after the discovery of a data loss event they must immediately drop whatever projects they were working on and devote every waking hour to understanding and addressing the incident.  And don’t think this first wave is restricted to just a few security or IT people. Most significant data loss events quickly involve PR/communications, legal, upper management, the web team, marketing, sales, customer support, and other business functions as the full scope of the incident becomes clearer.

The Pros and Cons of Network Downtime

Once the initial discovery and preliminary investigation ends, next often comes system downtime and a much deeper investigation into what happened and when it happened. System downtime often comes “on purpose” when the team decides to take down the network, applications, and databases that were potentially breached. A harsh step, but sometimes warranted to stop the bleeding. But of course, downtime can also happen because of the attack itself, such as one involving ransomware.

The PR Fallout of Data Loss

The third wave in a data loss event generally focuses on remediation and public relations as well as months of external and internal communications and damage control. Generally operating in parallel, while the IT folks are bringing the systems and data back on the inside, the external storm part of the data loss has already hit a fevered pitch at this stage.  At this point customers, business partners, journalists and law enforcement will often have taken a keen interest into the data leak and will expect to be handled by the organization.

The Regulatory Cost of Data Loss Events

The fourth and final wave, which can drag on for years in some cases, incorporates the response by regulators in multiple jurisdictions around the world, as well as civil litigation that will often rise. Just look at the recent class-action style settlement that Equifax entered into with the US Federal Trade Commission to get a feel for what this wave can look like and cost.

While the data genie can’t be stuffed back into the bottle once it is out, to state the obvious, the goal should be to minimize the probability of a data loss incident hitting your organization in the first place, while simultaneously planning for it to happen, so that plans, technologies, and procedures can be put in place to best prepare your organization for the inevitable. This is generally what is called cyber resilience.

Ultimately, data leaks will happen, but if well prevented and managed they don’t need to hurt as much as they could.