Today we released the latest edition of our Outbound Email and Data Loss Prevention in Today's Enterprise report, now in its seventh year. As always, this report contains a huge number of interesting findings. Check out the video preview, above, for just a few of the top findings. This year, IT decision makers from 261 large US enterprises (all with 1000 or more employees) responded to our survey, conducted with the help of Osterman Research.
You can find more highlighted findings about how large enterprises manage data loss risks in our press release. Better yet, download the complete report, by visiting http://www.proofpoint.com/outbound.
I'll be blogging more about this throughout the week, but here are just a few of the most interesting findings:
Proofpoint found that, despite a growing awareness of data loss risks, large enterprises continue to be impacted by data loss at a surprising rate:
36% of respondents said their organization was impacted by the exposure of sensitive or embarrassing information in the past 12 months.
31% of respondents said their organization was impacted by the improper exposure or theft of customer information in the past 12 months.
29% of respondents said their organization was impacted by the improper exposure or theft of intellectual property in the past 12 months.
Enterprise concerns and data loss events from social media continued to rise in the past 12 months:
Social Networking Sites (such as Facebook and LinkedIn): 20% of companies investigated the exposure of confidential, sensitive or private information via a post to a social networking site. 7% of companies terminated an employee for social networking policy violations. Twenty percent disciplined an employee for such violations. 53% are highly concerned about the risk of information leakage via social networking sites. 53% explicitly prohibit the use of Facebook, while 31% explicitly prohibit use of LinkedIn.
Blog and Message Board Postings: 25% of companies investigated the exposure of confidential, sensitive or private information via a blog or message board posting. 11% of companies terminated an employee for blog or message board posting policy violations. 54% are highly concerned about the risk of information leakage via blogs and message boards.
SMS and Web-Based Short Messaging Services (such as Twitter): 17% of companies investigated the exposure of confidential, sensitive or private information via one of these services. 51% are highly concerned about the risk of information leakage. 49% explicitly prohibit the use of Twitter.
Media Sharing Sites (e.g., YouTube, Vimeo): 18% of companies investigated the exposure of confidential, sensitive or private information via shared video or audio m5edia. 9% of companies terminated an employee for media sharing/posting policy violations. 21 disciplined an employee for such violations. 52% are highly concerned about the risk of information leakage. 53% explicitly prohibit the use of media-sharing sites.
In a press release issued today, Proofpoint recapped quarterly results from Q2 2010, announcing 7 years (28 consecutive quarters) of increasing quarterly revenue. As we've seen in previous quarters, data privacy and regulatory compliance concerns were an important driver for new business once again.
Proofpoint CEO Gary Steele said that, “There are four key issues driving enterprise IT security spend right now—an increasingly sophisticated spam and malware threat landscape, urgency around protecting consumer and data privacy, pressure to address electronic discovery issues and a realization that SaaS can greatly reduce security and compliance costs. Proofpoint’s solutions are ideally suited to meeting these needs.”
Regular readers of this blog will recognize that the trend toward more strict data protection regulations and increasing eDiscovery needs isn't particularly new. However, one very interesting new trend reported in Proofpoint's latest release is that the Federal market for SaaS solutions is definitely heating up.
One new deal mentioned in the press release is the adoption of Proofpoint's SaaS email archiving solution by a large US Federal agency for an initial 6000 mailboxes with plans to eventually roll the solution out to archive email for more than 70,000 of the agency's employees.
Commenting on the deal, Steele says, “To date, Federal agencies have been extremely cautious about adoption of SaaS solutions and this deployment of Proofpoint Archive will be among the first and largest SaaS deployment—of any kind—in the Federal market. The selection of Proofpoint is a strong validation of the unique security, reliability and scalability features of our SaaS architecture and applications.”
There's been quite a bit of news coverage recently about Federal adoption of cloud computing-based solutions—for example, the ongoing battle between Google and Microsoft to provide email hosting services for 15,000 employees at the GSA (see, "Google cloud-computing applications get certification for federal government use," in Sunday's Washington Post for just one example).
"Over the years, Proofpoint has gained strong momentum in the public sector, protecting more than one million government email inboxes including many federal civilian agencies, department of defense organizations such as the US Coast Guard, and the intelligence community. By achieving important information assurance certifications such as NIAP’s Common Criteria EAL2+ and NIST FIPS 140-2, Proofpoint is trusted to protect mission-critical applications and mitigate risk through its email security, archiving and data loss prevention solutions. "
Of course, it's not just the Federal government market that's moving to SaaS: Enterprises in the private sector continue to move to SaaS. As just one example, Proofpoint's release notes that the number of messages under management by its SaaS email archiving solution doubled in the past 12 months and that this trend is accelerating.
For more on the trends that drove Proofpoint's revenues to record levels once again, see the full press release:
NetworkWorld's Ellen Messmer has a really interesting article posted yesterday at NetworkWorld, reporting from Gartner's Security & Risk Management Summit (where Proofpoint is exhibiting, booth #27, BTW). In "Too many data-loss prevention tools become sheflware, says analyst", Messmer relates highlights of a presentation by Gartner DLP, security and encryption analyst Eric Ouellet, in which he talks about the challenges that many organizations face when deploying enterprise DLP solutions.
Of particular note, Ouellet discusses how many DLP deployments go awry because there's not enough involvement from business units who actually own responsibility for setting up and enforcing policies. "Organizations underestimate the need for the involvement of non-IT business units," Oullet says.
The whole article is worth a read and it provides an interesting "proof point" for something that we've been noting for quite a while... That multi-channel, enterprise DLP deployments (that involve the deployment of endpoint, network and discovery tools) are often more difficult and costly for organizations than they can really manage.
As an alternative, Proofpoint has long argued for a more pragmatic approach to DLP whereby the biggest risk vectors are addressed first (and, as I've noted many times, email continues one of the most significant channels for data loss - and one of the least controlled).
Rather than belabor that point here, I'd refer interested readers to this replay of an April 2010 web seminar featuring Proofpoint's Ken Liao, where Ken talks presents on precisely this topic:
Back to the NetworkWorld article, analyst Eric Ouellet is also quoted on the issue of "enterprise DLP" versus "channel DLP" (that is, addressing the DLP concerns in a specific protocol/channel, such as email):
... the market has evolved over the last year to include a second track for DLP that Gartner is calling "Single Channel DLP," which often focuses on the sole task of monitoring e-mail and attachments and ensuring e-mail encryption is properly used. "It provides you with enough to get you by," he said. Costs in this "Single Channel DLP" area can be in the $5 range for e-mail monitoring per employee.
The distinction between enterprise and channel DLP is discussed briefly in Gartner's 2010 Magic Quadrant for Secure E-mail Gateways, which also gives some detail on the DLP capabilities of each vendor in the email security market, including Proofpoint. You can view a copy of that magic quadrant, compliments of Proofpoint, by visiting:
In this video shot on the show floor at the 2010 Infosecurity Europe conference, several Proofpoint partners share some perspectives on working with SaaS email security and compliance vendor, Proofpoint. (This video is part of a series shot at Infosec that includes videos on email security trends and UK cybersecurity politics.)
Interviewed are Dave Ewart, Senior Product Marketing Manager for technology partner Blue Coat Systems, Scott Morin, VP of Worldwide Sales for technology partner Titus Labs and Alex Teh, Commercial Director for reseller/distributor partner Vigil Software.
Issues including blended threats, data loss prevention, email classification, protective marking and email encryption are discussed.
Titus Labs, Proofpoint and Vigil have been working together quite closely with EMEA customers who are deploying Proofpoint's email security/DLP solution, integrated with Titus's email classification solution. If you're interested in learning more about how these products can work together to help with a variety of regulatory compliance and data loss prevention issues, check out this web seminar replay:
eWeek Europe has been doing a good job of following news out of the UK about efforts by the Information Commissioner's Office (ICO) to crack down on breaches of personal data.
In a new story out today, ICO Cracks Down on Data Breaches, But no Fines, writer Sophie Curtis points out that while the ICO has ruled that several large-scale exposures of private healthcare and identity information were violations of the UK's Data Protection Act, it has yet to impose fines. (Earlier this year, the ICO was given authority to levy fines of up to 500,000 pounds.)
Earlier in the week, the ICO published a list of all the data breaches that had been reported to it since 2007, along with some analysis of the causes and sources of those breaches. Click the illustration in this post to view the ICO's breach notification spreadsheet.
A quick look shows that stolen data and hardware are the most common cause, while erroneous disclosures (which I presume includes a healthy number of inadvertent leaks via email and the web) are the second most common cause. eWeek Europe has some additional analysis in their article, "NHS Tops ICO List for Most Data Breaches."
In their article today, eWeek included some Proofpoint statistics about UK data loss concerns that we had collected at the recent Infosecurity Europe 2010 show, along with commentary from our own Ken Yearwood:
...a survey by SaaS email security provider Proofpoint also found that 93 percent of respondents were concerned about the potential for private or personal information to be leaked via email.
This is despite the fact that nearly two thirds of those surveyed said that their company had implemented data protection regulations, and around half had already deployed some kind of email encryption system.
“Enterprises have a pressing need to adhere to regulations that require special handling of sensitive information in emails, and require automatic methods for ensuring compliance,” said Ken Yearwood, director NEMEA at Proofpoint. “It is gratifying to see that passwords are now commonplace and that businesses are embracing security mechanisms such as full disk encryption to ensure that the company is not at risk in the event that a laptop is lost or stolen.”
Proofpoint exhibited recently at the 2010 Infosecurity Europe show, held in London, and as we did at the 2010 RSA conference, we conducted an electronic survey about email trends that 140 attendees (81% of them with IT, security or messaging titles and the balance with analyst/legal/compliance or non-IT titles) took the time to fill out.
Among the findings:
43% of respondents said they are "very concerned" about inadvertent leakage of private or personal information from their organizations via email. Fully half said they are "somewhat concerned" about this issue. Just 7% claim that they are "not concerned" about these sorts of data leaks.
That concern is well justified since nearly two-thirds (64%) of respondents said that their organizations are subject to data protection regulations that require certain types of email to be encrypted or handled with particular care, because the contain private or confidential email. Only 25% said their organizations were not subject to such data protection regulations.
In this short video, several attendees discuss the various regulations (such as the UK's Data Protection Act, PCI-DSS, etc.) that apply to their company's use of email:
The trend toward increasing the security around private data is something we've reported on quite frequently here in the blog and the growing awareness of data loss issues is reflected in some of our other survey findings. For example, 94% of respondents who have a corporate laptop said that it was password protected and more than half (58%) said that their corporate laptop used full disk encryption.
In addition, nearly half of respondents (49%) said their organization had already deployed an email encryption solution. Another 21% said that their organization intends to deploy an email encryption solution in the future.
On the topic of inbound email security, 40% of respondents said their organizations had been the target a "spear phishing" attack in the past 12 months. That is, they were targeted by a phishing email designed specifically to compromise their own email users. (Our survey from RSA, where most respondents were US-based, found that nearly half of respondents believed their organizations had been the target of spear phishing attack in the last 12 months.)
35% of respondents said that effectiveness and accuracy is the most important factor when selecting an email security solution, while 26% cited cost. 20% said that "ease of administration" was the most important factor. 8% cited available deployment method (e.g., SaaS vs. appliance) and 4% cited vendor brand/reputation as the most important decision factor when selecting an email security solution.
Survey respondents were also asked about their top email annoyances. It's probably no surprise that spam and phishing emails that get through the organization's spam filter were the top two annoyances (48% and 21%, respectively). But certain types of legitimate email were most annoying for some of our survey respondents:
17% find legitimate email newsletters/marketing emails that are sent too frequently their top email annoyance.
9% find legitimate emails from coworkers or business contacts "that I just don't have time to answer" as most annoying. (As I mentioned in my post on RSA survey findings, I still fall into this camp!)
Just 2% find social media notifications and other types of legitimate, but non-essential, emails as most annoying.
In the following video, attendees on the Infosecurity Europe show floor discuss their top email annoyances:
We've had a couple of recent reviews of Proofpoint's email security solutions and wanted to share them with you here.
First up, Proofpoint was reviewed in the March 2010 issue of SC Magazine (this review appeared in both the US and UK editions at different times) and we've licensed a reprint of that review, which you can download in PDF format at the following link:
Proofpoint scored a perfect 5-star review for features, performance, ease-of-use, documentation, support, value for money and overall rating.
Secondly (and I may have mentioned this previously), eWeek's David Strom took a close look at our SaaS-powered email encryption solution, Proofpoint Encryption, which turned into a more of a full-featured review of our entire email security solution.
You can read that review online at eWeek at the following URL:
In that review, Strom points out many of the unique features of Proofpoint Encryption, the power of Proofpoint's email policy engine, DLP features and much more. Of our email security solution as a whole, he says, "The bottom line is that [Proofpoint] Protection Server is a worthwhile product (or service, if you purchase the Web version) that you may want to look at if your existing e-mail system is ready to be replaced."
Our live web seminar series continues on Wednesday, May 26th. Join Proofpoint and our new partner Titus Labs to learn about how email classification, email security and email archiving intersect. Find out how these technologies can help your organization better protect sensitive data and comply with an increasingly complex global regulatory environment.
To register for "End-to-end Email Security: Ensuring Data Privacy and Compliance," please visit the following link:
Proofpoint CEO Gary Steele says in the release that, "Proofpoint is off to an extremely strong start in 2010. Large enterprises and government organizations worldwide continue to look for ways to improve email security while reducing costs. At the same time, the global trend toward stricter, more complex data privacy regulations are driving interest in our data loss prevention, email encryption, compliance and eDiscovery solutions. As a result, we’re seeing accelerated growth in our email archiving business and increased uptake of our DLP and email encryption solutions with both new and existing customers."
To learn more about the market drivers for email security and Proofpoint's performance relative to the market as a whole, check out Gartner's 2010 Magic Quadrant for Secure E-Mail Gateways, which you can read compliments of Proofpoint.
In related news, IT security and data protection vendorSophos announced that it will sell a majority interest in the company to a private equity firm, Apax Partners. Sophos's press release on this is here: "Apax Partners to Acquire Majority Interest in Sophos Plc." The deal is worth $830 million with Apax taking a majority stake while Sophos founders are said to retain a "significant minority shareholding."
The deal underscores the strength of the IT security industry. It also takes UK-based Sophos -- the world's third largest antivirus supplier, behind Symantec and McAfee -- out of the running of private tech security firms in strong position to go public this year.
In that paragraph, Acohido links to a previous article, "Cybersecurity stocks look hot in 2010," wherein various analysts are quoted as saying that the recent row between Google and China has put a spotlight on IT security and that both publicly and privately held security companies stand to benefit. In comments attributed to Asheem Chandna, partner at Greylock Partners, that earlier article noted that:
Private firms with strong balance sheets and good growth prospects that might be viewed as viable candidates to float an initial public stock offering include Sophos, Barracuda Networks, Qualys, Proofpoint and Tripwire, Chandna says. He estimates 30 to 50 tech firms could go public this year, including three to five tech-security companies.
Proofpoint CEO Gary Steele says, “We believe Proofpoint’s positioning in the leaders quadrant by Gartner is a great confirmation of our continued success in helping global enterprises take control of email risks. Our continued innovation and unique focus on email security, encryption, data loss prevention and email archiving—combined with the ability to deliver those solutions in all of the popular form factors including SaaS, appliance or hybrid deployments—makes Proofpoint the ideal choice for organizations that want to reduce costs while making email more secure, compliant and easier to manage.”
Writing in the “Magic Quadrant for Secure E-mail Gateways,” (previously known as the “Magic Quadrant for Email Security Boundaries”) Gartner analysts Peter Firstbrook and Eric Ouellet note that the email security market is “defined by solutions that provide enterprise message transfer agent (MTA) capabilities, offer protection against inbound and outbound e-mail threats (such as spam, phishing attacks and malware), and satisfy outbound corporate and regulatory policy requirements. SEG solutions can be offered in the form of appliances or software that goes on customer premises, hosted solutions that reside in solution providers' data centers, or multitenancy SecaaS that exists in multiple data centers around the globe.”
Gartner also says that, “The e-mail security market is very mature. Targeted phishing detection, outbound e-mail inspection, encryption and delivery form factor are the major differentiators.”
