Over the past week we have spoken to many companies that have a serious problem with staffing in the ICT/Security department. Too few employees and too many questions and problems are the cause. Most problems arise from human error and often originate with e-mail. Below is an overview of the time taken by one incorrectly sent e-mail.
Time investment in the event of a data breach due to improperly sent e-mail
- Direct investigation (incident investigation)
- Ranging from several hours to even several days, depending on the sensitivity of the data and whether the recipient(s) opened the message, forwarded it, etc.
- Usually coordination is needed between the IT department, the data protection officer (FG) / privacy officer, legal department and sometimes external (security) specialists.
- Communication and reporting
- In case of (possible) risks for data subjects, the data breach must be reported to the Personal Data Authority (AP) within 72 hours. This means a formal notification with an assessment of the severity and the measures to be taken.
- If necessary, affected individuals should also be informed (this may require additional time and coordination).
- Internal monitoring and measures
- Updates in protocols, training/awareness for employees, modification of technical security measures, etc.
- This can range from a few extra hours of work (adjustments in procedures, training) to several working days if new tools or processes need to be implemented.
Average estimate: In practice, several FGs/privacy experts indicate that – for an average company – you can easily spend 20 to 40 hours of internal time investigating, reporting, consulting and communicating around one mis-sent e-mail. In larger organizations (where more departments and stakeholders are involved), this can add up to several weeks, especially if highly sensitive data (e.g., medical or financial data) is involved.
Rather not via email
Therefore, in many cases, it is preferable not to send sensitive files via regular e-mail at all. That’s because e-mail by its very nature is not designed with the highest security standards in mind. A document that inadvertently lands in the wrong inbox can lead directly to reputational damage, loss of customer trust and time-consuming internal handling. Consider investigating the extent of the leak, notifying affected individuals, and preparing official notifications to the AP.
Especially in sectors such as healthcare, finance and government, where confidential data is involved, the risks are high. If the data is extremely sensitive, such a data breach can cost much more time and money. Moreover, these incidents are often accompanied by strict oversight or additional scrutiny from regulators.
Fortunately, there are ways to mitigate these risks. For example, mSafe offers a secure solution for sharing documents without having to include them as attachments in your mail. This is because with mSafe, files are securely stored in an encrypted environment and recipients receive a secure link and an SMS. This allows you to set exactly who has access and for how long, and limits the risk of human error.
Minimize risk and save time
- Do not send sensitive files via regular e-mail: the risk of data leakage is too high.
- Careless mail use costs time, money and reputation: a data breach can quickly require 20 to 40 hours of internal investigation.
- msafe minimizes these risks: by sharing confidential documents via a secure platform instead of sending them as loose attachments.
Want to learn more about how msafe helps your organization with secure file management and preventing data breaches? Then feel free to contact us or request a no-obligation demo.
