Email Primary Source of Data Leaks in Organizations: Ponemon

By CIOinsight  |  Posted 09-22-2011 Print Email
IT security and compliance managers said employees emailing sensitive data is a main cause of data leaks. Unencrypted email sitting on mobile devices is also a problem.

Email may be critical to an organization's day-to-day operations, but it is also becoming one of the main sources of data leakage, according to a recent Ponemon Institute report.

In a survey of 830 information technology, security and compliance professionals, more than half of the respondents said improper email use by employees is the main cause of data leaks within the organization, the Ponemon Institute said Sept. 20. The study, sponsored by email encryption vendor Zix, looked at the risk to confidential information transmitted by email.

Approximately 69 percent said employees have violated security policies and frequently send sensitive information through insecure email channels, and 60 percent use personal Webmail accounts to send corporate information, the survey found. About 63 percent believe employees mistakenly send confidential information to recipients outside the workplace. In addition, 70 percent of the compliance and security professionals surveyed are concerned about data lost via email on mobile devices.

Email is "such a significant tool that employees are inclined to circumvent policy and email sensitive information, so they can effectively perform their responsibilities in a timely manner," said Larry Ponemon, chairman and founder of the Ponemon Institute.

The Ponemon Institute cited email usage figures from Osterman Research in the report, noting that 20 to 25 percent of emails contain attachments that make up 98 percent of the total volume of data sent via email. Instead of saving attachments locally or to "appropriate data storage centers," employees often save them in email folders, effectively turning the inbox into a "personal storage center," Ponemon researchers wrote. On average, 75 percent of an organization's intellectual property is in an email or an attachment, the researchers estimated.

While organizations should ensure employees aren't sending sensitive data outside the company via email, the report noted other email-related risks. Considering the amount of information stored on mail servers, a data breach could result in the theft of highly sensitive information. Mobile devices are also a cause for concern, as employees are increasingly checking email while outside of the office.

"Mobile security adds yet another layer of complexity for security and compliance professionals," said Rick Spurr, CEO of Zix.

Administrators are also concerned about their abilities to manage the flow of sensitive data. Less than half, or 42 percent, feel they have adequate technology for securing sensitive email or attachments.

Organizations in highly regulated industries, such as financial services and health care, face possible compliance violations if they don't have email encryption technology in place. The Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act, Sarbanes-Oxley legislation and state laws in Massachusetts and Nevada all have rules about protecting confidential information sent via email.

While regulatory compliance remains the biggest driver for deploying email encryption, 84 percent of survey respondents said they don't know what information needs to be encrypted. Of the organizations without email encryption, more than half, or 67 percent, were unaware there are regulations governing how sensitive information should be sent over email, the survey found.


Submit a Comment

Loading Comments...