Autocomplete and data breaches
Matt Smith, SEGWARP Group Manager
08 April 2022
I have been facilitating cyber security groups for nearly 20 years now. WARPs or Warning, Advice & Reporting Points (you may have heard of them) are communities of trust, usually based in a specific geographic region, which bring together fellow practitioners helping to improve one another’s overall security posture. A truly great example of the whole being greater than the sum of its parts.
Face to face meetings form an integral part of a WARP. They help to build trust – the foundation upon which the whole information sharing ethos of a WARP is based. One key element of these meetings is the round table. This ‘closed’ session gives members the opportunity to discuss their current workload, ask for help with issues that may be causing difficulties and to share any security related incidents. This information sharing is key – in the case of an incident, members can share what happened, what the impact was, how they mitigated it and what they put in place to stop it happening again. In the case of a really serious incident, WARPs have ways of sharing in real time.
Over the years, threats and attack vectors have evolved, malware has come and gone but some things have remained the same. I must have run over two hundred of these meetings now but there is one particular type of incident that happens over and over again:
Sending an email to the wrong recipient
The impact of this action can vary dramatically. You may be lucky and end up asking the wrong colleague if they fancy a game of tennis. However, what happens if you send an attachment with sensitive data to the wrong person outside of your organisation? It could be commercially sensitive or contain Personally Identifiable Data. Worst case scenario, the data breach could be so significant that the ICO would be involved and the business could be fined. The potential ramifications of this do not bare thinking about.
But why does this happen so often? The answer is that tool that is supposed to make life so much easier for us – the dreaded auto-complete. You start typing in the ‘To’ field and up pops a list for you to choose from. Pick the wrong one without realising and you could be in real trouble. All for the sake of saving a few seconds and no one is immune – the auto-complete slip does not discriminate.
So, why not just turn it off I hear you ask? Well, in my experience, most organisations who have tried to disable the auto-complete feature get so much push-back (usually from senior management I’m afraid to say) that they are forced to turn it back on again. And yet disabling it is probably the biggest single thing you can do to stem the flow of data breaches from your organisation.
At a recent WARP meeting, a member reported that they had successfully managed to disable auto-complete. OK, so they had some push-back initially, but they stuck with it and 10 weeks later, they had not suffered a single instance of an email being sent to the wrong person. Not a single one. A prime example of a simple step having a huge impact. And the bonus? As this has been brought up at a WARP meeting, all the other members get to benefit from the experience of that member thus amplifying that impact.
Get in touch
You might also like…
An Urgent Need for Email Security in Local Government: Protecting Citizens and Preserving Public Trust
This article highlights the potential dangers of inadequate email security in the context of local government. Continue Reading An Urgent Need for Email Security in Local Government: Protecting Citizens and Preserving Public Trust