Yet another survey from a security firm has found that employees continue to show poor judgment when it comes to letting sensitive data out of their company. This time, the study found that management’s policies are also part of the problem: They aren’t formed or clearly stated.
In its fifth annual study of outbound email and data loss prevention issues, Proofpoint found that more than 40 percent of employees of large (20,000 people or more) forms taking part in its anonymous survey have leaked information, either via e-mail or some other messaging medium, like blogs, message boards and instant messenger.
But in that same survey, Proofpoint found that 50 percent of firms surveyed did not have an adequate training and education program in place to tell their employees just what the rules were regarding sensitive information. They may have had a security policy, but they didn’t tell the staff.
“There are cost issues in training,” Keith Crosley, director of market development for Proofpoint told InternetNews.com. “I think this is a classic battle between IT departments and more senior management. IT security some times does take a back seat to other issues. The folks that we deal with, your e-mail admis, your CSOs, VPs of engineering, they are all cognizant of these issues but they feel that their cries fall on deaf ears.”
He added that companies often do get religion about the issue after they burned, “but after you have a data loss incident it’s too late.”
While employees may be able to claim some kind of ignorance, they are not off the hook, either. They are often guilty of making a really bad assumption about e-mail: that no one else will see it. As the recent public release of e-mails from Microsoft executives regarding the Vista
Capable debacle showed, internal e-mails can become public very easily.
“There is something culturally about the perceived privacy of e-mail,”
said Crosley. “When you are in your cube and you’re on the phone, you’re always aware someone is overhearing what you are saying. Because e-mail is silent, there is the sentiment it is private, when nothing could be further from the truth. It’s permanent, there’s an audit trail and there’s a good chance someone other than your intended recipient is going to read your e-mail.”
And it has been a problem. According to the survey, 40 percent of companies investigated an email-based violation of privacy or data protection regulations in the past 12 months, and 26 percent of companies surveyed terminated an employee for violating e-mail policies in that time period. One in three of the largest firms reported that employee email was subpoenaed in the last 12 months for some kind of legal case.
E-mail is not the only source of risk for information leakage. The survey also found that 27 percent of companies had investigated the exposure of confidential information lost or stolen from a mobile device in the past year. This was usually lost laptops.
Eleven percent of U.S. companies surveyed disciplined employees for improper use of blogs/message boards, 13 percent disciplined employees for social network violations and 14 percent disciplined employees for improper use of media sharing sites in the past 12 months.
Crosley said there is a great deal of emphasis on malicious activity, whether it’s malware or corporate espionage, but that’s a fraction of the problem. The main problem is accidents. “The number one thing companies can do to prevent breaches it’s improve their training,” he said. “If employees know what the rules are, by and large they are going to adopt them.”
Proofpoint’s Outbound Email and Data Loss Prevention in Today’s Enterprise, 2008, report is available online.