Cyber thieves are increasingly finding new channels to steal data from unaware employees. However, email is still by far the most popular medium by which enterprises have lost data, according to new research released last week by email security provider Tessian and the Ponemon Institute.
Three out of five of the 614 U.S.-based corporate IT security experts who were surveyed in March 2022 said that their own organizations had “experienced data loss or exfiltration caused by an employee mistake on email” in the previous 12 months.
“Despite acknowledging the risk ... many organizations do not have training awareness programs with a focus on the sensitivity and confidentiality of data transmitted in employees’ email,” said Larry Ponemon, chairman and founder of Ponemon Institute.
He added that just 61% of IT professionals at enterprises surveyed already had training and awareness programs in place for those with access to sensitive information. However, just over half (54%) of these organizations with these programs admitted that they had “addressed the sensitivity and confidentiality of data in employees’ email,” Ponemon said.
Despite email interactions having been the digital channel with the most longevity and familiarity for most employees — including, arguably, those in the financial industry — roughly two-thirds (65%) of IT security professionals from various sectors said that email has remained the riskiest channel for data loss in organizations. Email was seen as potentially less secure even than cloud file-sharing services, found to be risky by 62% of respondents, or instant messaging platforms (57%).
Josh Yavor, chief information security officer at Tessian, said that perhaps one of the most surprising findings from their research was that only two out of five of these email-based data loss incidents were caused by employee negligence from not following policies. Just 28% are caused by mistakes made by employees, he added, while roughly the same number (27%) were caused by insider threats.
“What stands out is that 68% of data loss incidents were not due to active malice by employees,” Yavor said, which affirmed that “a significant number of data loss incidents could be prevented with smarter and tailored training that helps employees avoid these mistakes by coaching them through critical decisions in a moment when they might not remember all of the details captured in company policies.”
For example, as people continue to leave their jobs — often referred to as "The Great Resignation" — they may intentionally “send data or documents to their personal account and not even fully understand how it can impact the company’s security,” Yavor added.
Hence, while employees who work in highly regulated enterprises such as financial institutions might be doing better than most, even they “do not necessarily understand the sensitivity of data shared over email,” Yavor said. He pointed out that nearly three-fourths (73%) of their IT security survey respondents said this was a concern.
Since regulatory non-compliance is arguably the No. 1 consequence of a data loss incident banks, credit unions and investment firms, “this can have significant financial coincidences for this industry,” Ponemon said. "Regulated data is the most difficult to protect."
Ponemon suggested financial institutions should be more proactive in addressing and reducing email data loss prevention.
“They should assess where in the organization data is most at risk, and leverage machine learning and behavioral capabilities” to alert the IT security department to potential email risk.