In November, 2016, a Boeing employee emailed his spouse a spreadsheet from work because he needed help with formatting. In the spreadsheet: names, ID numbers, dates of birth and Social Security numbers for 36,000 Boeing employees.
It happens, and in this case, it cost Boeing the fees for two years of paid credit monitoring for the affected employees, plus the time of the forensic team to make sure this was all an innocent mistake—but a serious data breach, nonetheless.
Whether due to a vindictive employee or a careless one, the risk of email with confidential information going wrong has a fairly good probability.
Here’s how I would analyze the risk for an email mis-direction, using the FAIR model (follow along with the model here).
1. Start with Scoping – What’s the Risk (or Loss Event)?
Email is not the risk, though you might have seen it on Top 10 Risk lists. In the FAIR model, we define risk as a “loss event”. Scoping is defining that loss event.
There are 3 main elements to define in scoping:
The Asset at Risk
Something that may be affected, either by diminished value or by creating a liability for the owner. Applying that lens, it’s the data in the email that’s the asset here.
The Threat Actor
We always focus on the probable vs the possible; most probable here must be an internal actor. A threat does not have to come with a malicious intent. In FAIR, a mistaken act can create just as real a threat effect.
In other words, what you are worried about happening. The three effects types of effects are confidentiality, integrity, availability (C-I-A). In this case, the effect would be “C”, a loss of confidential information.
2. Do the Research, Map It to the FAIR Model
Now that we have defined the loss event, we’re ready to dig in to the analysis by gathering data from experts within the organization (for instance, the incident response, business continuity, or disaster recovery teams).
The FAIR model provides the structure for our research. For any scenario, we need to understand the potential magnitude (ultimately, the cost in dollars) and frequency of losses, based on previous experience within the organization and what we know of industry norms.
I would question the subject matter experts along these lines:
Loss Event Frequency
- How often does an email contain confidential data?
- How many confidential records are typically in one email?
- How often does an employee mis-deliver an email? In FAIR terms, that’s Threat Event Frequency (which may or may result in a loss)
- Is the information within the emails encrypted or is there a need to login to an account to access the data? (That’s Vulnerability).
Ask the experts for accurate cost data, based on known costs, in two categories:
- Primary Costs - for instance, customer service or management time to handle response to the email snafu.
- Secondary Costs – AKA fallout: Would you offer credit monitoring to your customers? Would you be fined by a regulator if personal credit or health information were released? What’s the potential for settlements on customer lawsuits?
3. Run Your Results, Make Some Decisions
We’re ready to enter the data gathered into a spreadsheet or the RiskLens application and use a Monte Carlo function to simulate a vast number of outcomes. The output is a smooth curve graph showing a range of potential losses in dollars on an annualized basis.
Final step: Compare the range to your appetite for risk and decide if risk controls are worth the investment. To protect against email-challenged employees exposing confidential information, controls might include a password-protected file sharing site or multi-factor login.