With the CCPA Now in Effect, Organizations Must Improve Email Security Capabilities

On January 1, 2020, the California Consumer Protection Act (CCPA) went into effect with much fanfare. The new law, intended to enhance privacy rights and consumer protections for residents of the state, implements new individual data access and erasure rights, ensures the right for individuals to opt out of data selling and mandates stronger information security — among other measures. Modeled loosely on the European Union’s GDPR, the CCPA represents the strongest such law in the U.S.

The CCPA applies to any companies conducting business in California that either meet certain size thresholds or derive more than 50 percent of their annual revenue from the sale of consumers’ personal information. Bear in mind: This is not just for companies based in California; it applies to all companies doing any type of business in the state. As a result, the CCPA will have major ramifications for companies throughout the world that wish to continue operations involving California citizens. With other states expected to follow in California’s footsteps and enact stronger data protection laws of their own, it is critical for businesses operating in the U.S. to prepare themselves for this new reality. As businesses worked to achieve CCPA compliance, email security emerged as a critical component of any comprehensive data protection plan.

The Rise of BEC Scams Highlights One Vulnerability Likely to Run Afoul of CCPA

One area where the impact of CCPA will be keenly felt is email security. Once an organization’s data has been mapped and classified as called for under the new law, it is important to put systems in place to ensure that data is protected by design. This means more than having effective firewalls or putting systems in place to alert security teams to potential network intruders. In today’s world, the most effective cyberattacks are often the ones that target the most vulnerable part of any organization: its people.

Business email compromise (BEC) attacks, phishing scams and other social engineering-based attack methods are becoming an increasingly popular attack vector among cybercriminals. In fact, this September, the FBI released a public service announcement containing some startling numbers: Between October 2013 and July 2019, businesses lost an estimated $26 billion to BEC scams alone. These losses have not been limited to large organizations, either; the FBI is careful to note that the scams target small, medium and large businesses and even personal transactions.

BEC scams have been reported in all 50 states, as well as 177 other countries, with fraudulent transfers making their way to at least 140 different countries. One fraudster based in Lithuania recently pleaded guilty to defrauding Google and Facebook out of roughly $123 million — a staggering number that underscores the outsized financial impact that these scams can have, even on the companies assumed to be the most technologically savvy. These scams represent a widespread, global issue that businesses of all sizes need to be aware of and protect themselves against.

Of course, BEC scams are just one example of how cyberattacks target human fallibility, but they serve as an effective illustration of what makes social engineering attacks so successful. They exploit the fact that human error is all too common. In fact, 80 percent of breaches — BEC or otherwise — are linked to employees simply doing something accidentally. Auto-complete might suggest an incorrect recipient. An email address might be mistyped. An employee might not realize that the legitimate-looking email they are responding to is actually from a scammer.

BEC attacks generally operate by sending an email that appears to be from a senior-level employee or high-value customer asking the recipient to take some action such as approve a payment, transmit client data or otherwise compromise secure information. All it takes is one employee to fail to realize that the email is a scam, and companies can potentially find themselves in serious trouble. Just ask Toyota, a subsidiary of which recently lost $37 million when members of the finance and accounting departments were targeted by scammers posing as one of the auto giant’s business partners. It was the third time in the span of a year that Toyota fell prey to such a scam, highlighting the potentially devastating consequences of such a breach.

With CCPA in effect, breaches like this will come under significantly increased scrutiny. After all, many scammers are more interested in personal information than simple financial gain, and companies must be on the lookout. CCPA establishes steep penalties for noncompliance, with a fine of $2,500 being levied for each violation not rectified within 30 days. And while $2,500 might not sound like a lot, keep in mind that CCPA considers each individual whose data is compromised to be an individual violation. Then consider that the data breach suffered by the American Medical Coalition Agency (AMCA) resulted in the theft of more than 25 million patient records. It doesn’t take an accountant to see that the potential fines involved here would be massive if CCPA had been in effect, and while this breach is one of the largest on record, it underscores just how much damage a talented and ambitious attacker can do.

Solving the Unsolvable: Proper Email Safeguards Can Help Limit Human Error and Prevent CCPA Violations

Human error isn’t new, and preventing it can feel like an unsolvable problem. It’s simply a part of life, and it’s been affecting businesses for as long as they’ve been around. In the past, human error might have been limited to a clerk forgetting to ring up a certain item or maybe an accountant forgetting to carry the one when balancing the ledger. Now, the technological advances that power today’s businesses have enabled BEC scams and similar attacks to exploit those same human weaknesses on a much larger scale – on top of which, people will continue to make “basic” mistakes, like misdirecting an email, even without an attacker trying to trick them into it. Today, having safeguards in place to ensure that proper email security is being adhered to on a human level can be the difference between remaining secure or suffering a serious breach.

The name of the game here is limiting risk. When it comes to email communication, there is some amount of risk inherent in any exchange. Are you certain that the sender is who they are claiming to be? Are you certain you typed the correct email in the “to” field? Are you certain you attached the right document? Employees sending hundreds, or even dozens, of emails each day are not going to run down this checklist every time they send a message.

After a while, people have a tendency to assume they know what they’re doing — and that’s understandable. Do you double-check that every email from your boss is actually from your boss? Or that your autofill function has suggested the correct name? Probably not, because frequently, you’ll find that they are exactly who they are claiming to be or that you have added the correct person. But the number of occasions this isn’t the case is particularly significant when you look at the bigger picture.

Look at it this way: How many emails do you send each day, and how many people are in your organization? Assuming your email output is roughly average, if you work at a company with 500 employees, that means 25,000 emails are being sent by your company per day. Over the course of a year, that expands to as many as 9 million emails. Even if just 0.1 percent of those emails are problematic — responding to a scammer, mistyping an email address, attaching an incorrect document — that leaves between 6,000 and 9,000 opportunities for secure information to make its way into the hands of cybercriminals, potentially costing your company money and most definitely running afoul of the CCPA.

Thankfully, the increased sophistication of tools like machine learning and behavioral analytics are enabling a growing number of organizations to implement intelligent, risk-based protection; secure email and file transfer methods; and smart authentication procedures — all valuable steps that organizations can take to ensure that their email security remains compliant with this new legislation. When applied to email security, contextual machine learning and behavioral analytics can identify anomalous and/or risky behavior before it can cause a potential issue.

This might mean something as simple as identifying an incorrect email address in the “to” field or as complex as scanning attachments to ensure that the correct level of encryption is being used. You know how today’s email clients will scan for the word “attachment” in your email so they can alert you if you forgot to attach the promised document? It’s just like that, but on an infinitely larger, more sophisticated and, ultimately, valuable scale.

As these predictive tools become more familiar with their users, they can more accurately determine what behaviors qualify as abnormal and alert the user that they may be on the verge of making a mistake. Considering the damage email data breaches have been known to cause and the looming threat of CCPA-imposed sanctions, this added level of human-layer protection can prove invaluable to businesses.

The CCPA Provides an Opportunity to Make Needed Security Improvements

Ultimately, the goal of the CCPA is to protect consumers by ensuring that businesses are taking an appropriate level of care when it comes to their personal data. This is an admirable goal. And as cybercriminals become more sophisticated in their attack methods, the new legislation will spur many organizations to make much-needed improvements to their security capabilities. Additionally, while the CCPA will levy major sanctions of organizations that fail to adequately protect consumer data, it is worth noting that incidents of data theft like those experienced by Google, Facebook and AMCA demonstrate the financial impact that these breaches can have even without the CCPA. In reality, businesses should be looking to implement these sorts of security improvements independent of the regulatory landscape.

Smart, adaptable and scalable email security tools can help prevent these problems before they arise, and whether organizations are working to establish regulatory compliance or simply strengthen their ability to combat BEC and other social-engineering threats, email security should be a priority. California may be one of the first states to establish strict data protection laws, but it certainly will not be the last, and as the U.S. takes its first steps down the trail blazed by Europe, businesses wishing to continue conducting business in the country must ensure they have implemented effective, human-layer security to protect the softest targets of all: people.