SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Email revealed to be riskiest channel for data loss
Wed, 25th May 2022
FYI, this story is more than a year old

More than half (60%) of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months, according to new research from the Ponemon Institute, and sponsored by Tessian.

Email was revealed as the riskiest channel for data loss in organisations, as stated by 65% of IT security practitioners. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%).

The Ponemon Institute surveyed 614 IT security practitioners across the globe to also reveal that:

  • Employee negligence was the leading cause of data loss incidents (40%), in the last 12 months
  • More than a quarter (27%) of data loss incidents are caused by malicious insiders
  • It takes up to three days for security and risk management teams to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email
  • Almost one in four (23%) organisations experience up to 30 security incidents involving employees' use of email every month

Furthermore, the majority of respondents (54%) said that the primary barrier to securing sensitive company data is the lack of visibility of sensitive data that is transferred from the network to personal email.

The study also found 52% of respondents say it is the inability to detect anomalous employee data handling behaviours and the inability to identify legitimate data loss incidents.

Due to this lack of visibility, it can take IT security teams almost three days (72 hours) to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email and up to two days (48 hours) to detect and remediate an incident caused by employees.

The report revealed that the majority of organisations (73%) are concerned that employees do not understand the sensitivity or confidentiality of data they share through email.

Despite these findings, nearly half of IT security leaders surveyed (46%) say their programs properly address the sensitivity and confidentiality of the data that employees can access on email.

Josh Yavor, chief information security officer for Tessian, commented, "Most security awareness training programs focus on inbound threats, yet fail to adequately address the handling of sensitive data internally. But data loss - whether accidental or intentional - is a major threat and should be treated as a top priority.

"To create awareness and mitigate data loss incidents, organisations need to be proactive in delivering effective data loss prevention training while also gaining greater visibility into how employees handle company data.

"Security awareness training that directly addresses common types of data loss - including what's okay to share with personal accounts and what's not okay to take with you when you leave a company - and a culture that builds trust and confidence among employees will improve security behaviours and limit the amount of data that flows out of the organisation."

Larry Ponemon, chairman and founder of Ponemon Institute, says, "This study showcases the severity of data loss on email and the implications it has for modern enterprises.

"Our findings prove the lack of visibility organisations have into sensitive data, how risky employee behaviour can be on email and why enterprises should view data loss prevention as a top business priority."