That One Time You Sent It To The Wrong Person

Controlling misdirected email sounds like a pipedream.  How can we stop an email that the user is authorized to send, with data they are authorized to transmit, from going to a perfectly trusted destination? The typical answer is more user awareness training.  In reality, most user awareness training is geared towards stopping ever more sophisticated inbound attacks. Stopping the accidental sending of the right information to the wrong person might not be top of mind for most administrators, but most users have had that panic moment of sending email to an unintended recipient. Usually it's something that can be laughed off later, but occasionally it can cause real financial, regulatory or reputational damage.

Collaboration tools, including email, make it as easy as possible to send a message and move on. For example, when was the last time you typed out someone's full email address? How often do email and collaboration apps suggest exactly what you're looking to do?

Sales organizations understand the risk of sending the wrong PO to the wrong customers. Third-parties that deal with multiple partners and customers understand the confidentiality required when processing data between those groups. Honestly anyone that has more than one customer or partner they deal with should be cognizant of the risk. Contact lists are full of people who have moved from one organization to another, sometimes competing ones. Organizational directories are full of very similar names. Try sending a time sensitive email to a part-time contractor instead of your VP and you've left the outcome of that issue up to a person who may have logged off several hours ago. If the sender had been alerted to the deviation from their normal activities, like sending to a person they'd never emailed before, they would have realized and corrected their mistake.

With the increased availability of user activity data, and the ability to share it across platforms, users can be digitally fingerprinted in an organization. These fingerprints are made up of dozens of individual data points including the close circle of people they regularly communicate with, the organizations they interact with, the type of data they send, and the locations that they work from.  These types of signals are being used by security teams to identify risk through User Behavior Analytics (UBA/UEBA), but what if they could also be used to provide a technical check to what has traditionally only ever been a human control? There's a wildly varying statistic out there that says about ninety percent of users, if presented with an additional verification prompt before performing a risky activity, won't do it. Regardless of the accuracy of that number, ask yourself that same question. If you quickly put an email together with anything from moderate to very sensitive data in it and hit send, would you doublecheck your work when prompted? You probably would, most people would re-read that email. The trick is that these prompts can't become noise. They have to be right or they'll become another casualty of the click-through culture. 

Collaboration tools are designed to make people more efficient.  From auto-populating names and email addresses, to auto-correct and auto-fill, people can send data with great ease and speed. However, just like the threat posed by inbound messages, outbound messages need to be double-checked. At the end of the day, even mildly sensitive data can create a disproportionate risk if delivered to the wrong hands. The answer to this is something that must keep up with users and not just report after the fact that something might have happened. With increased use of machine learning, companies should consider implementing a solution around misdirected email that can take advantage of trending analysis and present users with the real-time ability to correct mistakes before they happen.