According to a new study, deliberate and accidental data loss is a serious threat to most organizations.
A report by Tessian and the Ponemon Institute reveals that nearly 60% of organizations experienced data loss or exfiltration from an employee mistake on email over the last 12 months.
The research found that email was the riskiest channel for data loss, accounting for 65% of data losses. Cloud sharing and instant messaging platforms accounted for 62% and 57% of data loss incidents, respectively.
The report noted that most organizations strongly emphasized the risk of inbound threats while failing to address the threat posed by internal data handling.
Key findings of the Tessian and Ponemon Institute Report
Tessian/Ponemon Report found that employee negligence and disregard for their companies’ data handling policy was the leading cause of intentional and accidental data loss.
Nearly a quarter (23%) of organizations experience at least 30 security incidents originating from employees’ use of email.
According to the report, malicious insiders posed a significant threat to organizations and were responsible for more than a quarter (27%) of internal data losses.
Additionally, most organizations are slow in detecting and remediating deliberate and accidental data loss.
The report also found that security and risk management teams took at least three days to detect and remediate a data loss and exfiltration incident by a malicious insider on email. And organizations spent at least 48 hours before learning of data loss by a negligent employee.
Most common forms of intentional or accidental data loss incidents involved customer information (61%), intellectual property (56%), and customer information.
“User-created data (sensitive email content, text files, M&A documents), regulated data (credit card data, Social Security numbers, national ID numbers, employee data), and intellectual property were identified as the three types of data that are most difficult to protect from data loss,” the report stated.
Consequences of intentional and accidental data loss are profound
Most respondents identified non-compliance with data protection regulations (57%) and reputational damage (52%) as the main consequences of deliberate and accidental data loss.
According to the findings of another Tessian study, nearly a third of businesses lost a client or customer after an employee sent an email to the wrong person.
More than a fifth (21%) of employees lost their job after an emailing mistake, while an equal number of employees did not report the incident. Forty percent (40%) of US/UK employees admitted making an email mistake in the last 12 months.
According to Tessian’s Psychology of Human Error 2022 report, half of the employees (50%) attributed their emailing mistakes to the pressure to send the email quickly, while 49% blamed the lack of attention (49%), distraction (47%), and fatigue (42%).
Lack of visibility leads to intentional and accidental data loss
The lack of visibility into the data that organizations intend to protect was the leading cause of deliberate or accidental data loss.
“A lack of visibility of sensitive data that employees transferred from the network to personal email was cited as the most common barrier (54%) to preventing data loss,” the report stated.
Additionally, more than half (52%) of the security practitioners could not identify legitimate data loss incidents or employee data handling behaviors.
Larry Ponemon, chairman and founder of Ponemon Institute, said the report highlighted the risks of intentional and accidental data loss via email and its implications.
“Our findings prove the lack of visibility organizations have into sensitive data, how risky employee behavior can be on email and why enterprises should view data loss prevention as a top business priority,” he said.
Report recommendations on data loss prevention
According to the study, nearly three-quarters (73%) of organizations were concerned about their employee’s lack of awareness of the sensitivity or confidentiality of data shared via email.
However, only half of the security practitioners said their organizations had programs to address the confidentiality and sensitivity of data that employees could access via email.
Most respondents (61%) suggested that marketing and public relations departments were more likely to expose sensitive information via email, followed by production/manufacturing (58%) and operations (57%) departments.
According to Tessian Chief Information Security Officer Josh Yavor, most organizations focused on addressing inbound threats but failed to tackle the risks of internal data handling.
Describing deliberate and accidental data loss as a significant threat, Yavor advised organizations to prioritize the issue.
“To create awareness and mitigate data loss incidents, organizations need to be proactive in delivering effective data loss prevention training while also gaining greater visibility into how employees handle company data.”