Email may be critical to an organization’s day-to-day operations, but it is also becoming one of the main sources of data leakage, according to a recent Ponemon Institute report.
In a survey of 830 information technology, security and compliance professionals, more than half of the respondents said improper email use by employees is the main cause of data leaks within the organization, the Ponemon Institute said Sept. 20. The study, sponsored by email encryption vendor Zix, looked at the risk to confidential information transmitted by email.
Approximately 69 percent said employees have violated security policies and frequently send sensitive information through insecure email channels, and 60 percent use personal Webmail accounts to send corporate information, the survey found. About 63 percent believe employees mistakenly send confidential information to recipients outside the workplace. In addition, 70 percent of the compliance and security professionals surveyed are concerned about data lost via email on mobile devices.
Email is “such a significant tool that employees are inclined to circumvent policy and email sensitive information, so they can effectively perform their responsibilities in a timely manner,” said Larry Ponemon, chairman and founder of the Ponemon Institute.
The Ponemon Institute cited email usage figures from Osterman Research in the report, noting that 20 to 25 percent of emails contain attachments that make up 98 percent of the total volume of data sent via email. Instead of saving attachments locally or to “appropriate data storage centers,” employees often save them in email folders, effectively turning the inbox into a “personal storage center,” Ponemon researchers wrote. On average, 75 percent of an organization’s intellectual property is in an email or an attachment, the researchers estimated.
While organizations should ensure employees aren’t sending sensitive data outside the company via email, the report noted other email-related risks. Considering the amount of information stored on mail servers, a data breach could result in the theft of highly sensitive information. Mobile devices are also a cause for concern, as employees are increasingly checking email while outside of the office.
“Mobile security adds yet another layer of complexity for security and compliance professionals,” said Rick Spurr, CEO of Zix.
Administrators are also concerned about their abilities to manage the flow of sensitive data. Less than half, or 42 percent, feel they have adequate technology for securing sensitive email or attachments.
Organizations in highly regulated industries, such as financial services and health care, face possible compliance violations if they don’t have email encryption technology in place. The Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act, Sarbanes-Oxley legislation and state laws in Massachusetts and Nevada all have rules about protecting confidential information sent via email.
While regulatory compliance remains the biggest driver for deploying email encryption, 84 percent of survey respondents said they don’t know what information needs to be encrypted. Of the organizations without email encryption, more than half, or 67 percent, were unaware there are regulations governing how sensitive information should be sent over email, the survey found.
Organizations are often using older technology, which affects user satisfaction. More than half of the respondents are using email encryption products that are at least 4 years old. About 52 percent of the senders and 57 percent of receivers said email encryption products cause “high levels of frustration,” the report found.
The complexity of encryption is also higher for mobile devices. Only 31 percent of responders said they’d ever opened an encrypted email on a mobile device.