Employees’ emails, file sharing are data breach Trojan Horses
Employees’ emailing and file sharing practices are the leading cause of accidental data breaches, a new survey finds.
Email is the most common technology used in accidental data breaches, according to a survey of 1,000-plus U.S. companies sponsored by data security platform Egress and conducted by Opinion Matters research group.
Eighty-three percent (83%) of organizations surveyed said they experienced an accidental data breach. When an employee has unintentionally exposed sensitive data, 51% of respondents said it was through an external email provider, such as Gmail and Yahoo. Meanwhile, 46% said corporate email was used in an accidental data breach.
Pitfalls: emails to wrong address, forwarding sensitive info
Common employee email pitfalls include sending emails to the wrong address, forwarding sensitive information and sharing attachments with hidden sensitive content, according to the survey.
The respondents were senior and mid-level security professionals.
Egress cited the “explosive growth” in unstructured data, such as emails, documents and files, and the growing methods employees can use to communicate as factors that have significantly increased the chance of exposing sensitive data.
Collaboration and file share services like Dropbox and Slack are becoming commonly used at organizations and as a result, sensitive information is being exposed, the survey noted. Indeed, 40% said file sharing technology was used in employee-caused breach accidents, followed closely (38%) by collaboration tools.
Encrypting everything isn’t the solution
The survey singled out encryption technology as a standard best practice for securing and sharing sensitive data through emails and file sharing. However, only 79% of employees said they are required to use encryption when externally sharing personally identifiable information (PII) or critical business data, while, 64% were required to use encryption when internally sharing PII or critical business data.
While useful, Egress chief technology officer and co-founder Neil Larkins noted that encrypting everything isn’t the solution to minimizing breaches. “Encryption plays a part in this but doesn’t entirely solve the issue,” he said, adding that other steps to take include deploying software that logs normal patterns of data sharing and also flags abnormal behavior.
Despite the frequency of accidental breaches, organizations did not see them as an immediate threat. While most respondents said their biggest IT security risk was ransomware and malware (48%) and external attacks (45%), only 40% said accidental data breaches by employees was a risk.
Larkins said that outlook was “historical” and is beginning to evolve as organizations are learning that phishing attacks are effective and the most common data attack.
Updated security policies needed in response to new data laws
Likewise, more companies are training employees to spot phishing, said Joseph Lazzarotti, the privacy, data and cybersecurity practice group founder and chair at the Jackson Lewis law firm. But he was concerned about the survey’s finding that only 59% of companies are implementing new security policies in response to data regulation laws.
“You want those numbers to be higher,” Lazzarotti said. “Given all the breaches that have happened in the last 10 years, you’d hope that number was higher in terms of companies taking steps.”
He noted that as more states enact data privacy and breach laws, more organizations in turn are pushed to implement security policies that are in-line with regulations. “There are laws being added to the books that will continue to give companies more reasons to take these steps … hopefully the numbers will go up.”
New regulations such as the GDPR and the pending California Consumer Privacy Act have influenced 54% of respondents to invest in new security technology, according to the survey. Data privacy regulations have also led to 52% of organizations to invest in employee training and 44% have restricted the use of of external data sharing tools. Meanwhile, only 8% said new regulations haven’t changed their organization’s data sharing habits.
Related: