[Update July 23, 2010: The Ministry of Defense responds to these disclosures of mobile device losses in eWeek Europe's coverage of the story. Interesting reading. Find the entire story, including the MoD's response here: MoD Loses 340 Laptops in Two Years. Among other comments, an MoD spokesperson told eWeek:
“Yes the figures are high, but it should be remembered that the figures come from a two year period between June 2008 and May 2010. A lot of encryption technologies was brought in later in this period, and procedures such as how laptops are booked in and out, have they been encrypted, have been tightened up.”]
Proofpoint's public relations and research partner in the UK, LEWIS PR, issued an announcement today reporting findings from a UK Freedom of Information request about the frequency of equipment and data losses from lost or stolen equipment.
One of the most shocking findings? Britain's Ministry of Defense lost - or had stolen - 340 laptops in the past two years and less than half of those devices used encryption to protect the data they stored. The cost of the equipment is estimated at more than half a million UK pounds.
And it's not just laptops that went missing: Hundreds of CDs, DVDs, memory sticks, hard drives and mobile phones also were lost.
The full release has info on many more UK government agencies that were hit by extensive mobile device losses or thefts. As I've mentioned here repeatedly, these types of losses are quite frequent. For example, Proofpoint's 2009 annual research on data loss risks showed that more than 20% of large US enterprises investigated the exposure of confidential, sensitive or private information via a lost or stolen mobile device or storage media in the previous 12 months. And while I'm still analyzing the data, the 2010 statistics show an increase over previous years.
This news has been widely reported in the UK IT press today, including SC Magazine, where I'm quoted as saying of these losses:
"While the value of the lost and stolen equipment is staggering, the potential losses of private information about and belonging to UK citizens, classified government information and other non-public information could easily be several times greater. That only 20 per cent of the devices lost from the MoD were protected by encryption is shocking. Organisations of all types need to be aware that, after leaks via email, lost and stolen mobile devices are one of the top sources of data breaches.”
[Updated July 6, 2010: Complete multi-part interview is now online.]
Proofpoint CEO Gary Steele (pictured at left) recently spoke with entrepreneurship blogger and Forbes writer, Sramana Mitra at length about his background, Proofpoint's business and trends around email security, SaaS and other topics related to the enterprise markets that Proofpoint serves.
The first part of Mitra's multi-part interview is now posted at sramanamitra.com. In segment one of "Rolling Up Email Security SaaS," Gary talks about his early background, education and how he made the leap from the engineering world to high-tech marketing to CEO and how he came to join Proofpoint in its pre-funding days.
Read the interview here: "Rolling Up Email Security SaaS, Part 1," Gary Steele in conversation with Sramana Mitra. Even though I know Gary pretty well, I learned a few things about him by reading this and look forward to the rest of the series.
Update 7/6/2010: The rest of this series is now online at Sramana Mitra's site. I've put direct links to all six parts below, along with short notes about the topics covered:
Is privacy the new black? Certainly seems that way with a constant stream of news about privacy snafus, data loss/exposure incidents and increasing scrutiny of data privacy policies at all levels.
A couple of the latest sightings: Yesterday, the FTC issued a decision based on its investigation of Twitter's security practices (text of the FTC's decision on Twitter here), which came under scrutiny after several high-profile compromises of that social media service.
E-commerce Times has a good summary of the situation today, including some commentary from yours truly about what this ruling means for all types of online services, especially those with a messaging component. I also suggest that some of the FTC's prescription for Twitter is generally good advice when it comes to password security. Rather than repeat all of that stuff here, I refer you to Katherine Noyes's excellent article over at ecommercetimes.com for the whole story:
On a related tip, I see that the always excellent Healthcare Info Security has posted a new podcast with IT lumiary Guy Kawasaki talking about social media strategies, including security concerns. Taking a bit of a contrarian view, Guy says that security and privacy concerns about social media are, "massively overblown."
I get where Guy's coming from - he's really commenting on some individuals over-sensitivity to targeted marketing campaigns and the difference between regulated info like personal healthcare and financial information and info that might be considered "private", but doesn't so much represent something risky or exploitable.
But at the same time, enterprises (especially in regulated industries) need to mindful of the fact that - just as with email - it's fairly easy to run afoul of data protection and privacy regulations over social media.
Regular readers know that I've got a whole raft of facts about that (if you've never seen those before, you can find many of those here in the blog, or download my latest report at http://www.proofpoint.com/outbound.)
Regular readers of this blog know that I've been following the legal proceedings around a text messaging privacy case involving City of Ontario, California police officer Jeff Quon and his employer, the Ontario (California) Police Department. Last year, the 9th Circuit Court sided with several police officers (including Quon) who had sued the department for reading hundreds of personal text messages (many of which were of a sexually explicit nature) that officers had sent and received on department-issued pagers.
The City appealed that ruling to the Supreme Court, which has issued its ruling today in City of Ontario v. Quon, U.S. Supreme Court case No.08-1332. In its ruling, the high court reversed the 9th Circuit's Court finding, ruling that the City's search and audit of Quon's text messages was reasonable. (You can read the full text of the court's decision here: City of Ontario, California, v. Quon (PDF format).)
Though this particular case involved the privacy of text messages and the privacy of government employees that send them, the outcome of this case will have an impact on workplace monitoring policies in all types of industries – not just government – and for all types of electronic communication mediums.
One of the main take-aways from the Supreme Court’s ruling today is that the employer’s policies, and the clarity with which those policies are communicated, are crucial to establishing what sort of “reasonable expectation of privacy” employees should have.
In this particular case, the court found that the City of Ontario’s search and audit of text transcripts was reasonable, not excessively intrusive and had a clearly work-related purpose (the City was trying to determine if employees’ text messaging limits were too low and should be increased – during this audit, the content of Quon’s personal messages came to light).
The court also found that Quon did not have a reasonable expectation of privacy, in part because Quon had signed the city’s Computer Usage, Internet and Email Policy, which stated that the City “reserves the right to monitor and log all network activity… with or without notice.”
My advice to employers and employees is as follows:
Companies that monitor employees' outbound email and other electronic communications should clearly communicate to them what is being monitored and how. If that includes transmissions to "personal" email accounts via company networks or devices, this should be explicitly stated. If the company feels that employees should not have a reasonable expectation of privacy, this should be clearly communicated in a formal, written policy.
Additionally, as part of their electronic communications policies, companies should discourage employees from using personal accounts to conduct company business.
Employees should be aware that, even in the absence of a formal policy, their employer may be monitoring or auditing their electronic communications. For example, Proofpoint’s own research (http://www.proofpoint.com/outbound) finds that 46% percent of large US companies perform regular audits of outbound email content.
Of course, employers have many legitimate reasons for monitoring the content of email, web messages and text messages sent from their organizations, not the least of which concerns about compliance with data protection regulations including HIPAA and GLBA.
In our 2009 research on this topic, Proofpoint found that 43% of US companies had investigated a suspected email leak of confidential or proprietary information in the past 12 months and 34% had investigated an email-based violation of privacy or data protection regulations in the past 12 months.
With respect to text messaging, Proofpoint found that 13% of large US companies had investigated the exposure of confidential, sensitive or private information via an SMS text or Web-based short message service (e.g., Twitter). And 41% of those companies said that they are highly concerned about the risk of information leakage via Web-based short messaging.
More such statistics are available in Proofpoint’s 2009 Outbound Email and Data Loss Prevention in Today’s Enterprise report, which is available from http://www.proofpoint.com/outbound. (The 2010 edition of this report will be available in the coming weeks.)
Once again, I am quoted giving a variation on my golden rule of email, "Don't put anything in writing that you don't want the whole world to see." This time, the venue is FINS (a finance careers site that's part of the Wall Street Journal's online network). In, "Email Best Practices for the Workplace," reporter Toddi Gutner quotes me and Proofpoint's oft-repeated statistics on email discovery and email monitoring.
In light of recent exposures of internal emails at firms like Goldman Sachs, this article aims to answer the question, "Are there times when an email shouldn't have been sent?" While aimed at financial services professionals, this article provides some great advice that workers in any industry should consider when using email at work.
To summarize the guidelines presented in the article for using email at work:
Keep work email for work matters. If you are using your company computer and your company email, it shouldn't be used for personal matters.
Communicate clearly and carefully. Finance professionals, such as traders and portfolio managers who use email to verify prices of stocks and bonds, need to ensure that the information they send is accurate.
Be professional. Don't write or send an email when you're angry or emotional. If you're upset, consider waiting 24 hours.
Consider the telephone. When considering writing an email on a sensitive topic, consider picking up the phone instead.
There's a lot more detail in the full article, which can be found here:
eWeek Europe has been doing a good job of following news out of the UK about efforts by the Information Commissioner's Office (ICO) to crack down on breaches of personal data.
In a new story out today, ICO Cracks Down on Data Breaches, But no Fines, writer Sophie Curtis points out that while the ICO has ruled that several large-scale exposures of private healthcare and identity information were violations of the UK's Data Protection Act, it has yet to impose fines. (Earlier this year, the ICO was given authority to levy fines of up to 500,000 pounds.)
Earlier in the week, the ICO published a list of all the data breaches that had been reported to it since 2007, along with some analysis of the causes and sources of those breaches. Click the illustration in this post to view the ICO's breach notification spreadsheet.
A quick look shows that stolen data and hardware are the most common cause, while erroneous disclosures (which I presume includes a healthy number of inadvertent leaks via email and the web) are the second most common cause. eWeek Europe has some additional analysis in their article, "NHS Tops ICO List for Most Data Breaches."
In their article today, eWeek included some Proofpoint statistics about UK data loss concerns that we had collected at the recent Infosecurity Europe 2010 show, along with commentary from our own Ken Yearwood:
...a survey by SaaS email security provider Proofpoint also found that 93 percent of respondents were concerned about the potential for private or personal information to be leaked via email.
This is despite the fact that nearly two thirds of those surveyed said that their company had implemented data protection regulations, and around half had already deployed some kind of email encryption system.
“Enterprises have a pressing need to adhere to regulations that require special handling of sensitive information in emails, and require automatic methods for ensuring compliance,” said Ken Yearwood, director NEMEA at Proofpoint. “It is gratifying to see that passwords are now commonplace and that businesses are embracing security mechanisms such as full disk encryption to ensure that the company is not at risk in the event that a laptop is lost or stolen.”
Proofpoint exhibited recently at the 2010 Infosecurity Europe show, held in London, and as we did at the 2010 RSA conference, we conducted an electronic survey about email trends that 140 attendees (81% of them with IT, security or messaging titles and the balance with analyst/legal/compliance or non-IT titles) took the time to fill out.
Among the findings:
43% of respondents said they are "very concerned" about inadvertent leakage of private or personal information from their organizations via email. Fully half said they are "somewhat concerned" about this issue. Just 7% claim that they are "not concerned" about these sorts of data leaks.
That concern is well justified since nearly two-thirds (64%) of respondents said that their organizations are subject to data protection regulations that require certain types of email to be encrypted or handled with particular care, because the contain private or confidential email. Only 25% said their organizations were not subject to such data protection regulations.
In this short video, several attendees discuss the various regulations (such as the UK's Data Protection Act, PCI-DSS, etc.) that apply to their company's use of email:
The trend toward increasing the security around private data is something we've reported on quite frequently here in the blog and the growing awareness of data loss issues is reflected in some of our other survey findings. For example, 94% of respondents who have a corporate laptop said that it was password protected and more than half (58%) said that their corporate laptop used full disk encryption.
In addition, nearly half of respondents (49%) said their organization had already deployed an email encryption solution. Another 21% said that their organization intends to deploy an email encryption solution in the future.
On the topic of inbound email security, 40% of respondents said their organizations had been the target a "spear phishing" attack in the past 12 months. That is, they were targeted by a phishing email designed specifically to compromise their own email users. (Our survey from RSA, where most respondents were US-based, found that nearly half of respondents believed their organizations had been the target of spear phishing attack in the last 12 months.)
35% of respondents said that effectiveness and accuracy is the most important factor when selecting an email security solution, while 26% cited cost. 20% said that "ease of administration" was the most important factor. 8% cited available deployment method (e.g., SaaS vs. appliance) and 4% cited vendor brand/reputation as the most important decision factor when selecting an email security solution.
Survey respondents were also asked about their top email annoyances. It's probably no surprise that spam and phishing emails that get through the organization's spam filter were the top two annoyances (48% and 21%, respectively). But certain types of legitimate email were most annoying for some of our survey respondents:
17% find legitimate email newsletters/marketing emails that are sent too frequently their top email annoyance.
9% find legitimate emails from coworkers or business contacts "that I just don't have time to answer" as most annoying. (As I mentioned in my post on RSA survey findings, I still fall into this camp!)
Just 2% find social media notifications and other types of legitimate, but non-essential, emails as most annoying.
In the following video, attendees on the Infosecurity Europe show floor discuss their top email annoyances:
SC Magazine news editor Dan Raywood (who frequently mentions my posts here in his own articles for SC) has been tweeting news about the formation of the new coalition government in the UK (now confirmed as a Conservative-led, Liberal Democrat-allied coalition with Prime Minister David Cameron [Conservative] and Deputy Prime Minister Nick Clegg [Liberal Democrat] at the helm).
With tongue only gently planted in cheek, Dan (follow him @DanRaywood on Twitter) suggested in a tweet yesterday that data privacy might have been a major driver for the failure of Labour to form a coalition government:
"Rumour that ID cards are what caused Clegg to turn back on Labour coalition.So could it be said that data privacy caused the new government?"
And, indeed, one of the first actions of the new government is reported to be the introduction of a "freedom bill" that will extend Freedom of Information laws and repeal ID cards and biometric passports. (See "Nick Clegg Confirmed as deputy prime minister" among other articles.)
When Proofpoint interviewed attendees at the recent Infosecurity Europe show, we found a great deal of confusion (maybe even a touch of American-style apathy) about which UK political party would do the most to improve cybersecurity in general. Our friends at LEWIS PR interviewed attendees on this topic and you can hear firsthand what they thought in this short video:
We asked 140 attendees at Infosecurity Europe "Ahead of the UK general election, which political party do you think would do the most to improve cyber security in the UK?" and found that more than half of respondents (57%) said they didn't know. The rest of the responses were as follows:
Labour: 7% Conservatives: 12% Liberal Democrats: 11% Other: 13%
It'll be interesting to follow how the UK's data privacy regulations change in the coming months since these topics are clearly on the new government's agenda!
Something I've been meaning to post for a while but hadn't had the chance... The latest Internet Threats Trend Report from Proofpoint and our partner Commtouch is now available.
As usual, this Q1 2010 version reviews the latest spam techniques, spam trends, spam topics and spam sources. Highlights in this latest edition include:
A SpamAssassin bug caused numerous false positives for users of open source email security... The latest spam template techniques being used by spammers... CNN redirect exploited to send work-at-home scam emails... An analysis of how much spam comes form gmail.com... Rises in spam, zombie trends, malware variants, the "hottest" spam topics... and much more. Visit the following link to download a free copy of this email security report:
Proofpoint CEO Gary Steele says in the release that, "Proofpoint is off to an extremely strong start in 2010. Large enterprises and government organizations worldwide continue to look for ways to improve email security while reducing costs. At the same time, the global trend toward stricter, more complex data privacy regulations are driving interest in our data loss prevention, email encryption, compliance and eDiscovery solutions. As a result, we’re seeing accelerated growth in our email archiving business and increased uptake of our DLP and email encryption solutions with both new and existing customers."
To learn more about the market drivers for email security and Proofpoint's performance relative to the market as a whole, check out Gartner's 2010 Magic Quadrant for Secure E-Mail Gateways, which you can read compliments of Proofpoint.
In related news, IT security and data protection vendorSophos announced that it will sell a majority interest in the company to a private equity firm, Apax Partners. Sophos's press release on this is here: "Apax Partners to Acquire Majority Interest in Sophos Plc." The deal is worth $830 million with Apax taking a majority stake while Sophos founders are said to retain a "significant minority shareholding."
The deal underscores the strength of the IT security industry. It also takes UK-based Sophos -- the world's third largest antivirus supplier, behind Symantec and McAfee -- out of the running of private tech security firms in strong position to go public this year.
In that paragraph, Acohido links to a previous article, "Cybersecurity stocks look hot in 2010," wherein various analysts are quoted as saying that the recent row between Google and China has put a spotlight on IT security and that both publicly and privately held security companies stand to benefit. In comments attributed to Asheem Chandna, partner at Greylock Partners, that earlier article noted that:
Private firms with strong balance sheets and good growth prospects that might be viewed as viable candidates to float an initial public stock offering include Sophos, Barracuda Networks, Qualys, Proofpoint and Tripwire, Chandna says. He estimates 30 to 50 tech firms could go public this year, including three to five tech-security companies.
