By Drew Fox Jordan • March 4, 2021

    Why is Email Data Hard to Regulate With Policy?

    For many organizations, Data Loss Prevention (DLP) is at once one of the most important components of their security framework and the biggest headache for leaders. Most risks to data security actually come from within an organization, which means security teams have to classify and monitor data across hundreds – even thousands – of different entry and exit points of the organization’s network. While DLP applies to more than email, email is still the number one channel for data loss according to Egress.

    Why is Email Data Hard to Regulate With Policy?

    Fundraisers spend 40% of their digital time on email sending memos, spreadsheets, invoices, and other sensitive information and data, structured and unstructured alike. Couple this with how the underlying technology behind email hasn’t evolved since its inception and its ease-of-access – email accounts today are accessible on laptops, smartphones, tablets, smartwatches, and even cars – it’s easy to see why 90% of data breaches start on email.

    This goes to show that nonprofits must be vigilant in assessing risk around both data loss and data exfiltration and, in doing so, must implement security measures that decrease their likelihood of suffering a breach. Unfortunately, that’s easier said than done.

    Preventing data loss requires not only advanced security tools but also buy-in from the entire organization. Here are three reasons why data sent through email is hard to regulate:

    1. Over 124 billion business emails are sent and received every day. That means it’s virtually impossible for nonprofits – often resource-constrained themselves – to monitor all of those emails for incidents that could (or do) result in data loss.
    2. Donor data is stored in various ways, from spreadsheets to living within the CRM. Limiting access to this data is one solution, but nonprofit leaders run the risk of limiting employee productivity in doing so.
    3. People make mistakes and break the rules. Whether it’s an employee sending an email to the wrong person or a disgruntled employee intentionally exfiltrating data, there are numerous ways in which sensitive data can fall into the wrong hands. Unfortunately, to err is human and even training can’t eliminate this risk entirely.


    Nonprofits must be vigilant in assessing risk around both data loss and data exfiltration and, in doing so, must implement security measures that decrease their likelihood of suffering a breach. Unfortunately, that’s easier said than done.

    When you consider the objective of DLP, you realize there are two distinct approaches to take. Data-based solutions use the content of an email to perform analysis. These rules consider keywords, attachments, seniority level, and even the role or department of an employee to identify sensitive information and keep it within the organization. Human-centric approaches, like Gravyty Guard, use artificial intelligence to understand the behaviors of nonprofit employees in order to protect sensitive information. While both approaches have their merits, there are some clear shortcomings to a data-centric approach.

    Blocking accounts/domains: In this approach, particular domains (particularly free mail domains like @gmail.com or @yahoo.com) are blocked by the company. These emails will undoubtedly be attached to people outside of the organization and, oftentimes, are actually the personal email accounts of employees themselves.

    Drawbacks: There are legitimate reasons to send and receive emails from people outside of your organization’s network and with “freemail” domains. After all, that is how fundraisers are communicating with donors. They may also simply be trying to send documents “home” to work after hours or over the weekend. Unfortunately, it’s not difficult for employees to find workarounds, regardless of their intentions.

    Blacklisting email addresses: Security teams can create a list of non-authorized email addresses and simply block all emails sent or received.

    Drawbacks: Because blacklisting requires constant updating, it’s very time and resource-intensive. Additionally, this is not a proactive approach. Email addresses will only be added to a blacklist after they’ve been known to be associated with unauthorized communications, which means data exfiltration attempts may be successful before security teams are able to take steps towards remediation.

    Tagging Data: After classifying data, an organization may attempt to tag sensitive data, allowing administrators to track it as it moves within and outside of a network.

    Drawbacks: Again, this system is time and resource-intensive and relies on fundraisers accurately identifying and tagging all sensitive data. It could be misclassified or simply overlooked, allowing it to move freely within and out of a network. Additionally, employees often get fatigued with enforced tagging which could lead to default tagging everything as sensitive.

    The challenge with all of the above is that they are based on rules. But human behavior can’t be predicted or controlled by rules. The more effective solution is one that’s adaptable and can uniquely identify possible risks without needing a dedicated security team to constantly monitor behavior.

    Machine learning DLP solutions can check for and recognize suspicious email activity thousands of times per second without missing information or getting tired. Nonprofits can use Gravyty Guard to prevent data exfiltration on email by turning an organization’s own data into its best defense against inbound and outbound email security threats.

    Use today’s technology to protect against tomorrow’s cyber threats. Take our FREE 15-minute assessment and receive your own Data Security Health Score and find out if your organization is secure.

    Posts by Topic

    see all