The purpose of this study is to learn what practices and technologies are being used to reduce one of the most serious risks to an organization’s sensitive and confidential data. The study finds that email is the top medium for data loss and the primary pathways are employees’ accidental and negligent data exfiltration through email. According to the research, 59 percent of respondents say their organizations experienced data loss and exfiltration that involved a negligent employee or an employee accidentally sending an email to an unintended recipient. On average, organizations represented in this research had 25 of these incidents each month.
To reduce these risks, organizations should consider technologies that leverage machine learning and behavioral capabilities. This approach enables organizations to proactively prevent data loss vulnerabilities so organizations can stop email data loss and exfiltration before they happen. Thirty-six percent of respondents say their organizations use behavior-based machine learning and artificial intelligence technology. Seventy-seven percent of these respondents report that it is very effective.
Sponsored by Tessian, Ponemon Institute surveyed 614 IT and IT security practitioners who are involved in the use of technologies that address the risks created by employees’ negligent email practices and insider threats. They are also familiar with their organizations’ data loss protection (DLP) solutions.
Current solutions and efforts to minimize risks caused by employees’ misuse of emails are ineffective. Respondents were asked to rate the effectiveness of their organizations’ ability in preventing data loss and exfiltration caused by vulnerabilities in employees’ use of emails. Only 41 percent of respondents say their current data loss prevention solutions are effective or very effective in preventing data loss caused by misdirected emails. As one consequence of not having the right solutions, and only 32 percent of respondents say their organizations are effective or very effective in preventing these incidents.
The following recommendations are based on the research findings.
- Data is most vulnerable in email. Employee negligence when using email is the primary cause of data loss and exfiltration. According to the research, 65 percent of respondents say data is most vulnerable in emails. In the allocation of resources, organizations should consider technologies that reduce risk in this medium. On average, enterprises have 13 full-time IT and IT security personnel assigned to securing sensitive and confidential data in employees’ emails.
- Organizations should assess the ability of their current technologies to address employee negligence risks related to email. Forty percent of respondents say email data loss and exfiltration incidents were due to employee negligence or by accident. Additionally, 27 percent of respondents say it was due to a malicious insider. As revealed in this research, many current email data loss technologies are not considered effective in mitigating these risks. Accordingly, organizations should consider investing in technologies that incorporate machine learning and artificial intelligence to understand data loss vulnerabilities through a behavioral intelligence approach.
- Identify the highest risk functions in the organization. According to respondents, the practices of the marketing and public relations functions are most likely to cause data loss and exfiltration (61 percent of respondents). Accordingly, organizations need to ensure they provide training that is tailored to how these functions handle sensitive and confidential information when emailing. As shown in this research, organizations are most concerned about data loss involving customer and consumer data, which is very often used by marketing and public relations as part of their work. Other high-risk functions are production and manufacturing (58 percent of respondents) and operations (57 percent of respondents). Far less likely to put data at risk are client services and relationship management functions (19 percent of respondents).
- Despite the risk, many organizations do not have training and awareness programs with a focus on the sensitivity and confidentiality of data transmitted in employees’ email. Sixty-one percent of respondents say their organizations have training and awareness programs for employees and other stakeholders who have access to sensitive or confidential personal information. Only about half (54 percent of the 61 percent of respondents with programs) say the programs address the sensitivity and confidentiality of data in employees’ emails.
- Sensitive and confidential information are at risk because of the lack of visibility and the ability to detect employee negligence and errors. Fifty-four percent of respondents say the primary barrier to securing sensitive data is the lack of visibility of sensitive data that is transferred from the network to personal email. Fifty-two percent of respondents say the greatest DLP challenges are the inability to detect anomalous employee data handling behaviors and the inability to identify legitimate data loss incidents.
- On average, it takes 18 months to deploy and find value from the DLP solution. Organizations spend an average of slightly more than a year (12.3 months) to complete deployment of the DLP solution and more than half a year (6.5 months) to realize the value of the solution. The length of time to deploy and realize value can affect the ability for organizations to achieve a more mature approach to preventing email-related compromises by employees.
- The length of time spent in detecting and remediating email compromises puts sensitive and confidential data at risk. According to the research, security and risk management teams spend an average of 72 hours to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email and an average of almost 48 hours to detect and remediate an incident caused by a negligent employee. This places a heavy burden on these teams who must triage and investigate these incidents and become unavailable to address other security issues and incidents.
Other takeaways
- Regulatory non-compliance is the number one consequence of a data loss and exfiltration incident followed by a decline in reputation. These top two consequences can be considered interrelated because non-compliance with regulations (57 percent of respondents) will impact an organization’s reputation (52 percent of respondents). Regulatory non-compliance is considered to have the biggest impact on organizations’ decision to increase the budget for DLP solutions.
- Organizations consider end-user convenience very important. Seventy-five percent of respondents say end-user convenience in DLP solutions is very important.