IT leaders have suffered significantly higher numbers of data breaches as a result of outbound email in the last 12 months.

According to research by Egress, 93% of 538 IT leaders surveyed reported a breach in the past year due to an email error, with 70% of those believing remote working increases the risk of sensitive data being put at risk from outbound email data breaches.

Egress CEO Tony Pepper said the problem is only going to get worse with increased remote working and higher email volumes, which create prime conditions for outbound email data breaches of a type that traditional DLP tools simply cannot handle.

“Instead, organizations need intelligent technologies, like machine learning, to create a contextual understanding of individual users that spots errors such as wrong recipients, incorrect file attachments or responses to phishing emails, and alerts the user before they make a mistake,” he said.

The most common breach types were replying to spear-phishing emails (80%), emails sent to the wrong recipients (80%) and sending the incorrect file attachment (80%).

Speaking to Infosecurity, Egress VP of corporate marketing Dan Hoy, said businesses reported an increase in outbound emails since lockdown, “and more emails mean more risk.” He called this a numbers game which has increased risk as remote workers are more susceptible and likely to make mistakes the more they are removed from security and IT teams.

According to the research, 76% of breaches were caused by “intentional exfiltration.” Hoy confirmed this is a combination of employees innocently trying to do their job and not cause harm by sending files to webmail accounts, but this does increase risk “and you cannot ignore the malicious intent.”

This is where better technology could better resolve the problem, he said, as current technology (such as static rule-based data loss prevention) does not catch these issues and problems increase. “Technology needs to shoulder more of the burden,” Hoy added.

Furthermore, almost two-thirds (62%) of businesses rely on people to identify outbound email data breaches, whilst 24% of IT leaders said the employee who sent the email would disclose their error. In terms of action taken, 46% of respondents said the employee who caused a breach was given a formal warning, while legal action was taken in 28% of cases. In 27% of serious breach cases, respondents said the employee responsible was fired.

Hoy pointed to the 62% statistic and the fact that we are “still reliant on people to self report incidents” and called outbound email errors combined with remote workers as a “perfect storm.” Regarding employees being reprimanded, he said it is an interesting debate as to where responsibility lies.

Pepper said: “Relying on tired, stressed employees to notice a mistake and then report themselves or a colleague when a breach happens is unrealistic, especially given the repercussions they will face. With all the factors at play in people-led data breach reporting, we often find organizations are experiencing 10-times the number of incidents than they are aware of.

“It’s imperative that we build a culture where workers are supported and protected against outbound email breach risk with technology that adapts to the pressures they face and stops them from making simple mistakes in the first place. As workers get used to more regular remote working and reliance on email continues to grow, organizations need to step up to safeguard both employees and data from rising breach risks.”

Over half (56%) of UK businesses plan to increase their digital skills training budgets for staff next year, suggesting changes to working practices as a result of the COVID-19 pandemic will be sustained. This is according to a survey of 200 senior business decision makers in large and medium sized companies by IT services provider Transputec.

The study also found that more than half (53%) of businesses are aiming to grow their IT infrastructure budget next year, while 60% of decision makers are planning to expand the use of digital collaboration tools to enable staff to connect more effectively and improve their well-being.

A third (33%) said they want to recruit a chief digital officer to help facilitate these changes, and 41% are seeking to hire candidates with high levels of digital skills.

In addition, close to half (44%) of UK businesses want to accelerate remote working going forward in order to reduce costs, such as by downsizing office space. Almost half (49%) of those surveyed expect to see growth next year, indicating that many businesses have already adapted well to a remote working model.

Sonny Sehgal, CEO of Transputec, commented: “COVID-19 has already had a devastating impact on UK business, and we’re not out of the woods yet. Fortunately, cutting edge technology has facilitated a mass shift to remote and digital working, and as a result, many businesses have observed benefits of lower overheads and more streamlined and efficient operations through managed services.

“Therefore, we can expect flexible working to stay with us for the long-term, even after it is deemed safe to return to the office on a permanent basis. Therefore, businesses must continue to bolster digital initiatives and prioritize the use of cloud-enabled digital collaboration tools, for example, if they wish to remain buoyant.”

Despite the business benefits of home working, the surge in this practice during COVID-19 has highlighted a number of cybersecurity issues, including the use of insecure video communication platforms and risky security behaviors by remote staff.

Digital Infrastructure Minister Matt Warman today announced £500,000 in fresh government funding to help medical suppliers, primary care providers, and other businesses in the healthcare sector boost their cyber security.

The fresh government funding comes in response to the National Cyber Security Centre’s assessment that malicious actors are carrying out large-scale cyber campaigns targeting organisations involved in the coronavirus response, such as large-scale ‘password spraying’ campaigns against healthcare bodies and medical research organisations.

“Security officials have identified targeting of national and international healthcare bodies, pharmaceutical companies, research organisations, and local government with the likely aim of gathering information related to the coronavirus outbreak,” NCSC said.

Matt Warman MP said small and medium-sized businesses in the healthcare sector, such as medical suppliers and primary care providers, can apply for a slice of the new £500,000 funding to improve their cyber security.

Not only will the government cover all consultancy and certification costs, it will also offer guidance and support to small and medium-sized businesses in the healthcare sector to get accreditation from the government’s Cyber Essentials certification.

The government support will include training to make sure all phones, tablets, laptops or computers are kept up-to-date, proper firewall usage to secure devices’ internet connections, and user access controls to manage employee access to services.

“We know there is a heightened cyber threat for healthcare businesses at the moment so we are releasing new funding to help those playing a vital role in the pandemic response to remain resilient. I also urge all organisations to sign up to the government’s Cyber Essentials programme which contains a number of simple steps firms can take to get the fundamentals of good cyber security in place,” Warman said.

Commenting on the government’s new initiative for the healthcare sector, Anurag Kahol, CTO of Bitglass, said the rapid digitisation of patient records means it’s been very difficult to implement consistent data security policies and training schemes to educate staff on keeping data safe. As healthcare organisations make patient data more accessible to individuals and new systems, they must make information security their top priority.

“Strategic investments in cybersecurity will make a significant impact on protecting healthcare businesses against cyber security risks, which will potentially save billions in the long run. With this new funding, and by procuring cloud apps with a strong security track record and third-party tools to secure data in the cloud, healthcare organisations will be able to improve their ability to protect medical records and allow them to focus on their core competency – delivering care services,” he added.

Security researchers have discovered hundreds of vulnerabilities across major hotel and airline and travel booking websites, some of which have already suffered major breaches.

UK-based consumer rights group Which? and tech consultancy 6point6 studied 98 travel sector companies, probing websites, subdomains, employee portals and other web properties with lawful online tools.

They found Marriott-owned websites were riddled with 497 bugs including over 100 assessed to be “high” (96) or “critical” (18). Some of these could have allowed an attacker to target users and their data, Which? said.

“We reported our findings directly to Marriott (as we did with all the five providers in our snapshot test) and it said that it had ‘no reason to believe’ that its customer systems or data had been compromised,” Which? explained.

“It also claimed that some findings were ‘not attributable to Marriott,’ while others ‘could not be validated.’ It didn’t supply any specific examples of mitigations, but said that it would be ‘taking a closer look at and addressing Which?’s findings’.”

Marriott is facing a large fine from regulator the Information Commissioner’s Office (ICO) after last year revealing a historic breach of 339 million customers’ data.

Airline easyJet, which this year revealed a breach affecting nine million customers, was found to have 222 vulnerabilities across nine web domains, including one critical bug that could allow an attacker to hijack users’ browsing sessions.

The firm apparently took three domains offline and remediated the disclosed vulnerabilities on the other six sites.

British Airways was found to have 115 vulnerabilities on its websites including 12 judged to be critical. Although most of the issues identified were thought to be related to running old versions of software, the carrier gave no indication in its response to Which? that they would be updated.

BA famously exposed the details of around 500,000 customers to Magecart attackers last year, in an incident which could also land it a major fine from the ICO.

Elsewhere there were 291 potential vulnerabilities found at American Airlines, and a critical vulnerability at Lastminute.com which could allow attackers to create fake log-in accounts.

“Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cyber-criminals,” argued Which? Travel editor, Rory Boland.

“Travel companies must up their game and better protect their customers from cyber-threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced.”

Warner Music Group has issued a data breach notification following a prolonged skimming attack on an undisclosed number of its e-commerce websites.

The cyber-attack was discovered by the multinational entertainment and record label conglomerate on August 5, 2020.

E-commerce websites that are hosted and supported by an external service provider in the US but operated by Warner were found to have been compromised by an unauthorized third party.

By installing data-skimming malware on the sites, the threat actor was able to access information being entered by customers.

Personal data compromised in the attack included names, email addresses, telephone numbers, billing addresses, shipping addresses, credit card numbers, card expiration dates, and CVC and CVV codes.

The as yet unidentified cyber-criminal accessed Warner customers’ personal information entered into the affected websites during transactions made between April 25, 2020, and August 5, 2020. Payments made through PayPal were reportedly not affected by this incident.

A data breach notice sent by Warner to the affected customers stated that “any personal information” customers had entered into the affected websites “after placing an item in your shopping cart was potentially acquired by the unauthorized third party.”

Warner said that it was prompt to inform relevant credit card providers and law enforcement of the breach. The company has not yet disclosed how many customers were affected by the incident.

Affected customers have been offered 12 months of identity monitoring services free of charge by Warner.

The cyber-attack comes three years after Warner fell victim to a phishing scam that resulted in the leak of 3.12 TB of internal data relating to Vevo, the company’s premium music video provider.

“Digital skimming and Magecart attacks continue to be a lucrative source of revenue for hackers as they continue to seek large targets for maximum payouts. For example, data stolen from an attack on another e-commerce platform in 2019 was valued at $133M on the dark web,” commented security evangelist at PerimeterX, Ameet Naik.

“Third-party platforms, scripts, and services are ideal targets for attackers because the techniques can be reused to steal data from multiple e-commerce sites.”