When ARPANET engineer Ray Tomlinson sent the world’s first email message in 1971 he decided to make it easy for himself. The message was sent from himself to himself from a computer sitting on a desk inches away from the recipient system.
Nearly half a century on, this simple idea of sending messages from one person to another has turned from a straightforward technical challenge into an organisational, legal and occasionally (just ask Hillary Clinton) political minefield.
Every email user in the world has at some point accidentally sent a message to the wrong person or, on the other side, received a misdirected one out of the blue. For years this was just an annoying mishap and then data protection laws started to bite and the issue turned darker.
Various solutions have been suggested, most simply by introducing a proprietary ‘undo send’ delay before an email is sent from a particular platform. If the sender notices the misdirection, the email can be stopped. Except that most people don’t notice. Undo send also reduces the responsiveness of email because it means that even correctly addressed messages are delayed.
Encryption is another method but that introduces considerable complexity and expense and to business managers sounds like technological overkill.
The problem remains intractable enough that it has aroused the interest of a new British startup, CheckRecipient. As with Hook, an anti-phishing training startup recently profiled in Techworld, CheckRecipient is currently ensconced in Cyber London (CyLon), a dedicated UK cybersecurity accelerator that seems to be cranking out a line of interesting cybersecurity firms.
As with Hook, CheckRecipient is about fixing an old problem that a lot of larger tech firms seem to have either given up on or can’t figure out how to make pay.
The system works as a layer between a user and the people they send emails to, learning from their patterns of usage. From this, it can predict whether an email is being sent to the wrong person. Most employees send certain kinds of emails to only a very select group of people so using machine learning intelligence to manage this process in a reliable way sounds logical.
As CheckRecipient CEO and cofounder Tim Sadler explains below, the system has attracted interest within sectors that are traditionally highly-sensitive to confidentiality such as the legal profession and financial services. It sounds odd to think of confidentiality as if it is something that only a niche group of organisations would worry about. This was probably true in the 1990s when stories of mis-directed emails started to attract attention as email took off, but it sounds pretty complacent two decades on.
We live in a world that is slowly starting to grasp the often hidden, slow-motion effects of confidential data misdirected through simple human error. The information inside emails is still data after all. What is incredible is that organisations are still grappling with this issue at all but the team at CheckRecipient aren’t complaining.
Tim Sadler, on founding CheckRecipient:
After studying engineering, I began a career in investment banking. I was astounded that despite this highly regulated industry being full of protocol and policy, it was still possible to lose sensitive information through simple human error.
Everyone knows that sinking feeling when an email is sent to the wrong person, but in industries like finance or healthcare which involve the processing of highly sensitive personal information as standard, a simple human mistake can have enormous consequences.
A Freedom of Information (FOI) request earlier this year, found that human error accounted for almost two-thirds (62 percent) of the incidents reported between 2014-2016 and of this, 9 percent of cases were as the result of data accidentally emailed to the wrong person.
Even so, there wasn't any software solution to this problem, so along with a group of university friends, I spotted a gap in the market and CheckRecipient was born. Very simply, our product is designed to prevent emails being sent to the wrong people due to inadvertent human error. We use artificial intelligence and machine learning to analyse historical email data, and then predict when an email is being addressed or sent to the wrong person.
If you're a lawyer for example, and you're sending information to the wrong client, the system would draw on historical data – keywords or phrases used in emails to certain recipients – alerting you to the mistake before the email is sent. By analysing this historical data, CheckRecipient understands the conventional sending patterns and behaviour within the organisation and then detects any anomalies.
Although sending the wrong email or document out by mistake might not result in a regulatory fine, there may be other reputational or financial repercussions both to you as an individual and to your organisation, which can be damaging in their own right.
Ever sent email to the wrong person? Lessons for cybersecurity startups
When setting up a new business, the idea is just the first step; turning it into a commercial business through execution is the hard part. Luckily, the technical skills we’d gained from university meant that we were able to build the product without needing to get external support. But understanding the cybersecurity industry – who the buyers were and their pain points – was much more complex. It’s all very well building a functional product, but you have to make sure it’s needed and that it fits in with your audience’s behaviours and habits.
Our original MVP (‘minimum viable product’) required a lot of admin. We thought companies wouldn't mind administration if it made their data safer. But companies are reluctant to implement cybersecurity measures if they also place a burden on employees in the firm. They're not willing to compromise if it involves an employee having to spend a number of hours per week dedicated to it. Sussing that out was challenging but we learnt our lesson by going to market with our products as soon as possible and then engaging with stakeholders to gather direct feedback early on.
A year ago we joined cybersecurity accelerator programme, Cyber London (CyLon), and the advice and support we’ve gained has been invaluable. But this kind of specialist guidance is relatively new in the UK market and for a highly skilled subject like cybersecurity, it is essential.
Although the UK is still slightly behind the likes of the US and Israel when it comes to supporting cyber innovation, things are starting to change with drastic improvement in the last year alone. Programmes like HutZero, a dedicated cybersecurity bootcamp aimed at helping people turn their ideas into startups, are testament to this.
CheckRecipient: next steps
So far, our product has been well-received and we’ve secured customers including some of the world's largest law firms, hedge funds and investment banking advisory firms.
We’re already finding that CISOs and CIOs are far more willing to embrace new technology than when we first started.
I left university in 2011 and the general trend graduates only wanting to work for large companies has changed. Young people are attuned to what's involved in working for a startup.
Cybersecurity is still quite niche and there's more to be done to educate people about the opportunities it offers. It’s often the simplest solution to a problem that turns out to be the best and most elegant. As our story demonstrates, it’s the problems right in front of you that are sometimes the most pressing, but they can be missed all the same.