IT security and compliance managers said employees emailing sensitive data is a main cause of data leaks. Unencrypted email sitting on mobile devices is also a problem.
Email may be critical to an
organization's day-to-day operations, but it is also becoming one of the main
sources of data leakage, according to a recent Ponemon Institute report.
In a survey of 830 information
technology, security and compliance professionals, more than half of the
respondents said improper email use by employees is the main cause of data leaks
within the organization,
the Ponemon Institute said Sept. 20. The study, sponsored by email encryption
vendor Zix, looked at the risk to confidential information transmitted by email.
Approximately 69 percent said employees
have violated security policies and frequently send sensitive information
through insecure email channels, and 60 percent use personal Webmail accounts
to send corporate information, the survey found. About 63 percent believe
employees mistakenly send confidential information to recipients outside the
workplace. In addition, 70 percent of the compliance and security professionals
surveyed are concerned about data lost via email on mobile devices.
Email is "such a significant tool
that employees are inclined to circumvent policy and email sensitive
information, so they can effectively perform their responsibilities in a timely
manner," said Larry Ponemon, chairman and founder of the Ponemon
The Ponemon Institute cited email usage
figures from Osterman Research in the report, noting that 20 to 25 percent of emails
contain attachments that make up 98 percent of the total volume of data sent
via email. Instead of saving attachments locally or to "appropriate data
storage centers," employees often save them in email folders, effectively
turning the inbox into a "personal storage center," Ponemon
researchers wrote. On average, 75 percent of an organization's intellectual
property is in an email or an attachment, the researchers estimated.
While organizations should ensure
employees aren't sending sensitive data outside the company via email, the
report noted other email-related risks. Considering the amount of information
stored on mail servers, a data breach could result in the theft of highly
sensitive information. Mobile devices are also a cause for concern, as
employees are increasingly checking email while outside of the office.
"Mobile security adds yet another
layer of complexity for security and compliance professionals," said Rick
Spurr, CEO of Zix.
Administrators are also concerned about
their abilities to manage the flow of sensitive data. Less than half, or 42
percent, feel they have adequate technology for securing sensitive email or
Organizations in highly regulated
industries, such as financial services and health care, face possible compliance
violations if they don't have email encryption technology in place. The Health
Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act,
Sarbanes-Oxley legislation and state laws in Massachusetts and Nevada all have
rules about protecting confidential information sent via email.
While regulatory compliance remains the
biggest driver for deploying email encryption, 84 percent of survey respondents
said they don't know what information needs to be encrypted. Of the
organizations without email encryption, more than half, or 67 percent, were
unaware there are regulations governing how sensitive information should be
sent over email, the survey found.
Organizations are often using older
technology, which affects user satisfaction. More than half of the respondents
are using email encryption products that are at least 4 years old. About 52
percent of the senders and 57 percent of receivers said email encryption
products cause "high levels of frustration," the report found.
The complexity of encryption is also
higher for mobile devices. Only 31 percent of responders said they'd ever
opened an encrypted email on a mobile device.