Email Your Data Breaches

I worked at a start-up a while ago and used to deal with a lot of data breaches, involving emails, the sort in the news with the Child Sexual Abuse Inquiry. It was usually the same person or the team involved. I tried training and, giving instructions etc. However, the incidents kept occurring on a regular basis. A detailed Post Incident Analysis found that the team was sending these emails out the last thing on a Friday, before going home. They had to send it so that the recipients received them before the end of the week.

The analysis showed that the sender was working under pressure to send the emails out on Friday. Often, there was no one else around on Friday afternoon to double check before sending the emails. They were also in a rush to get home or out for the weekend, therefore, desperate to get the emails out as soon as possible. A dangerous combination that largely contributed to the mishaps.

Due to it being Friday evening, when an incident occurred, it would not be picked up before Monday morning, therefore, the impact would be not understood before complaints arrived,

I suggested a simple process change. This was to the time the emails were sent from Friday evening to Thursday after lunchtime. We agreed upon 3 pm. The emails were double-checked by a colleague before they were sent out. This seemed to do the trick. From thereon, the incidents reduced and were very rare.

A simple process change can have quite an impact on reducing risks. This is why post-incident analysis/root cause analysis is important after an incident and I always include this in any Incident Management Process I design. Another reminder that the issue and solution does not always have to be about technology.