According to new research from the Ponemon Institute and sponsored by Tessian, more than half (60%) of organizations have experienced data loss or exfiltration due to an employee’s email error in the past 12 months.
Email was revealed as the riskiest channel for data loss in organizations, as reported by 65% of IT security professionals. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%).
The Ponemon Institute surveyed 614 IT security professionals around the world to also reveal that:
Employee negligence was the leading cause of data loss incidents (40%) in the past 12 months. Malicious insiders cause more than a quarter (27%) of data loss incidents. It takes up to three days for security and risk management teams to report an incident involving detecting and remediating data loss and exfiltration caused by a malicious insider on email. Nearly one in four (23%) organizations experience up to 30 security incidents where employees use email monthly.
In addition, most respondents (54%) said the main barrier to protecting sensitive corporate data is the lack of visibility of sensitive data being transferred from the network to personal email.
The survey also found that 52% of respondents say it’s the inability to detect anomalous employee data processing behavior and identify legitimate data loss incidents.
Due to this lack of visibility, IT security teams can take nearly three days (72 hours) to detect and remediate a data loss and exfiltration incident caused by a malicious email insider and up to two days (48 hours) to detect and remedy an incident caused by employees.
The report found that most organizations (73%) are concerned that employees do not understand the sensitivity or confidentiality of data they share via email.
Despite these findings, nearly half of IT security leaders surveyed (46%) say their programs properly address the sensitivity and confidentiality of the data employees access via email.
Josh Yavor, Chief Information Security Officer for Tessian, noted, “Most security awareness training programs focus on incoming threats but fail to adequately address the internal processing of sensitive data.
“To raise awareness and reduce data loss incidents, organizations must be proactive in delivering effective data loss prevention training while gaining greater insight into how employees interact with corporate data.
“Security awareness training that directly addresses common types of data loss — including what to share with personal accounts and what not to take with you when you leave a company — and a culture that instills trust in employees will improve security behavior and limit the amount of data that organization outflows.”
Larry Ponemon, President and Founder of the Ponemon Institute, said, “This study demonstrates the seriousness of email data loss and its implications for modern enterprises.
“Our findings prove organizations’ lack of understanding of sensitive data, how risky employee behavior can be on email, and why companies should prioritize data loss prevention.”
