Email security gets a lot of attention. You know you need spam filters on your Microsoft Exchange Server organization, and if those filters don't work well, you're going to hear all kinds of complaints from end users. You know you need virus and malware protection to save your network from the ridiculous mistakes those same users are likely to make. You've probably spent a great deal of time finding and fine-tuning the solutions that provide this protection to your network. But have you spent an equal amount of time thinking about outbound security threats from email and other sources?
Some companies certainly have. That's a key takeaway from the recent survey by Proofpoint, "Outbound Email and Data Loss Prevention in Today’s Enterprise, 2009." In addition to outbound email, the survey also questions respondents about concerns for data loss related to mobile devices, blogs and message boards, social media and media sharing sites, and other technologies. Overall, more than half the respondents said they were "concerned" or "very concerned" about losing data through these various outlets.
This year's survey also looks at how economic factors are affecting security concerns about data loss. Layoffs can lead to security problems at any time, but when layoffs strike the IT department, which is already working on a super-tight budget, potential for significant problems arise. I spoke with Keith Crosley, director of market development for Proofpoint and author of the annual survey since it began in 2004. "IT departments have got to be mindful of this," Crosley said. "You've got to limit access to accounts as soon as possible when a termination is occurring." Overall, more than 17 percent of companies investigated data loss around an employee leaving the company during the last year; in the largest companies (over 20,000 employees), the number rises to 32.2 percent.
When I think of data loss, what comes to mind are the movies or books I've read about corporate espionage and all the outrageous shenanigans that go into such stories. And I suppose there might be some grain of truth in those stories. However, as Crosley said, "The vast majority of data breaches or potential data breaches are completely inadvertent, and they often relate to employees simply trying to do their jobs." Crosley describes the problem as a cultural issue: We're so conditioned to using email for communications that we don't necessarily realize when we're breaking the rules.
One story Crosley tells to highlight this point is that of nurses or other medical personnel inadvertently breaking HIPAA regulations by sending confidential patient information through email. The intent is simply to pass along shift notes when it's time to go home. Although it might be convenient for two individuals to communicate through Gmail if they're not otherwise going to cross paths, the security of such communication is simply not adequate. The moral here is the need for better education: Make sure you have corporate policies in place governing appropriate email use, and make sure your employees know what the rules are.
Something I found a bit surprising from the survey is the number of companies that have dedicated staff monitoring outbound email. Almost a third (32.9%) of the companies in the survey reported having "staff whose primary or exclusive job function is to read or otherwise analyze outbound email content." Wow. These companies must have—or think they have—a significant problem if they're willing to pay people just to perform this function. Or maybe it's just a proactive attempt to avoid litigation from giving out credit card numbers or private medical information.
"I don't think that companies of any significant size can afford to be without a technology approach to scanning outbound email because you can't solve these problems manually," Crosley said. "You can't, after the fact, do a random sampling of outbound email content and go, 'Look, we're regularly leaking credit card data.' That's not helpful." Of course, Proofpoint offers email security and data loss prevention products both as on-premises and hosted solutions.
The Proofpoint survey has some interesting statistics about social media sites, Short Message Service (SMS—i.e., texting, Twitter), as well as the types of data companies fear is being lost and the actions taken against employees for violating the rules. You can download the full report from Proofpoint's website if you want to see the bigger picture of data loss potential in the enterprise. And you can see Keith Crosley give a brief presentation with some more quick stats in the video below.