Today we released the latest edition of our Outbound Email and Data Loss Prevention in Today's Enterprise report, now in its seventh year. As always, this report contains a huge number of interesting findings. Check out the video preview, above, for just a few of the top findings. This year, IT decision makers from 261 large US enterprises (all with 1000 or more employees) responded to our survey, conducted with the help of Osterman Research.

You can find more highlighted findings about how large enterprises manage data loss risks in our press release. Better yet, download the complete report, by visiting http://www.proofpoint.com/outbound.

I'll be blogging more about this throughout the week, but here are just a few of the most interesting findings:

Proofpoint found that, despite a growing awareness of data loss risks, large enterprises continue to be impacted by data loss at a surprising rate:

• 36% of respondents said their organization was impacted by the exposure of sensitive or embarrassing information in the past 12 months.
• 31% of respondents said their organization was impacted by the improper exposure or theft of customer information in the past 12 months.
• 29% of respondents said their organization was impacted by the improper exposure or theft of intellectual property in the past 12 months.

Enterprise concerns and data loss events from social media continued to rise in the past 12 months:

• Social Networking Sites (such as Facebook and LinkedIn): 20% of companies investigated the exposure of confidential, sensitive or private information via a post to a social networking site. 7% of companies terminated an employee for social networking policy violations. Twenty percent disciplined an employee for such violations. 53% are highly concerned about the risk of information leakage via social networking sites. 53% explicitly prohibit the use of Facebook, while 31% explicitly prohibit use of LinkedIn.
  
• Blog and Message Board Postings: 25% of companies investigated the exposure of confidential, sensitive or private information via a blog or message board posting. 11% of companies terminated an employee for blog or message board posting policy violations. 54% are highly concerned about the risk of information leakage via blogs and message boards.
  
• SMS and Web-Based Short Messaging Services (such as Twitter): 17% of companies investigated the exposure of confidential, sensitive or private information via one of these services. 51% are highly concerned about the risk of information leakage. 49% explicitly prohibit the use of Twitter.
  
• Media Sharing Sites (e.g., YouTube, Vimeo): 18% of companies investigated the exposure of confidential, sensitive or private information via shared video or audio m5edia. 9% of companies terminated an employee for media sharing/posting policy violations. 21 disciplined an employee for such violations. 52% are highly concerned about the risk of information leakage. 53% explicitly prohibit the use of media-sharing sites.

In a move that surprised many, but will make a lot of sense to regular readers of this blog, Intel announced today that it has entered into a definitive agreement to buy diversified security vendor McAfee for $7.68 billion, a significant premium over McAfee's share price at yesterday's market close.

Echoing many of the same issues that Proofpoint CEO Gary Steele noted in his recent guest blog post at Byron Acohido's "Last Watchdog" blog (see "Why Wall Street is Boosting Investments in Tech Security"), Intel and McAfee gave the following rationale for the acquisition:

First, security is fundamental to today's computing environment. Intel CEO Paul Otellini is quoted as saying, "In the past, energy-efficient performance and connectivity have defined computing requirements. Looking forward, security will join those as a third pillar of what people demand from all computing experiences."

And those "computing experiences" are becoming more and more pervasive. The explosive growth of Internet connected devices—not just PCs but smartphones, tablet computers (like the iPad, the rumored Google Chrome OS pad, etc.), even ATMs, medical diagnostic equipment and on and on—requires better security for those devices to prevent exploitation and protect private data held and processed by those devices.

As security vendors regularly point out, security threats continue to proliferate rapidly and are becoming more complex and more costly to remediate. In the email security space, for example, targeted attacks such as spear phishing, the use of multiple attack vectors (combining email, web and social media components) and more clever social engineering are now commonplace. "The cyber threat landscape has changed dramatically over the past few years, with millions of new threats appearing every month,” says McAfee CEO Dave DeWalt.

McAfee's online announcement also notes that, "The current cybersecurity model isn’t extensible across the proliferating spectrum of devices – providing protection to a heterogeneous world of connected devices requires a fundamentally new approach to security." Which I think is a rather verbose way of saying that network security in today's world needs a major "re-think" and that certain security functions and controls need to migrate further down the IT application stack and be more of an integral part of the hardware and firmware that power new devices.

Additionally, Intel notes that this acquisition is part of their ongoing effort to broaden its IT footprint, delivering not just hardware but software components. Notes the Intel announcement, "Intel has made a series of recent and successful software acquisitions to pursue a deliberate strategy focused on leading companies in their industry delivering software that takes advantage of silicon. These include gaming, visual computing, embedded device and machine software and now security." (Intel's acquisitions of embedded/mobile software vendor Wind River and gaming AI/physics vendor Havok are cited.)

Expect this news to spur ongoing M&A activity in the security space. And, more importantly, the trend toward making security more of a core component of computing devices—rather than an afterthought—will make for a safer computing world.

[Update July 23, 2010: The Ministry of Defense responds to these disclosures of mobile device losses in eWeek Europe's coverage of the story. Interesting reading. Find the entire story, including the MoD's response here: MoD Loses 340 Laptops in Two Years. Among other comments, an MoD spokesperson told eWeek:

“Yes the figures are high, but it should be remembered that the figures come from a two year period between June 2008 and May 2010. A lot of encryption technologies was brought in later in this period, and procedures such as how laptops are booked in and out, have they been encrypted, have been tightened up.”]

Proofpoint's public relations and research partner in the UK, LEWIS PR, issued an announcement today reporting findings from a UK Freedom of Information request about the frequency of equipment and data losses from lost or stolen equipment.

One of the most shocking findings? Britain's Ministry of Defense lost - or had stolen - 340 laptops in the past two years and less than half of those devices used encryption to protect the data they stored. The cost of the equipment is estimated at more than half a million UK pounds.

And it's not just laptops that went missing: Hundreds of CDs, DVDs, memory sticks, hard drives and mobile phones also were lost.

The full release has info on many more UK government agencies that were hit by extensive mobile device losses or thefts. As I've mentioned here repeatedly, these types of losses are quite frequent. For example, Proofpoint's 2009 annual research on data loss risks showed that more than 20% of large US enterprises investigated the exposure of confidential, sensitive or private information via a lost or stolen mobile device or storage media in the previous 12 months. And while I'm still analyzing the data, the 2010 statistics show an increase over previous years.

This news has been widely reported in the UK IT press today, including SC Magazine, where I'm quoted as saying of these losses:

"While the value of the lost and stolen equipment is staggering, the potential losses of private information about and belonging to UK citizens, classified government information and other non-public information could easily be several times greater. That only 20 per cent of the devices lost from the MoD were protected by encryption is shocking. Organisations of all types need to be aware that, after leaks via email, lost and stolen mobile devices are one of the top sources of data breaches.”

Is privacy the new black? Certainly seems that way with a constant stream of news about privacy snafus, data loss/exposure incidents and increasing scrutiny of data privacy policies at all levels.

A couple of the latest sightings:  Yesterday, the FTC issued a decision based on its investigation of Twitter's security practices (text of the FTC's decision on Twitter here), which came under scrutiny after several high-profile compromises of that social media service.

E-commerce Times has a good summary of the situation today, including some commentary from yours truly about what this ruling means for all types of online services, especially those with a messaging component. I also suggest that some of the FTC's prescription for Twitter is generally good advice when it comes to password security. Rather than repeat all of that stuff here, I refer you to Katherine Noyes's excellent article over at ecommercetimes.com for the whole story:

E-Commerce Times: FTC Puts Social Nets on Notice with Twitter Smackdown

On a related tip, I see that the always excellent Healthcare Info Security has posted a new podcast with IT lumiary Guy Kawasaki talking about social media strategies, including security concerns. Taking a bit of a contrarian view, Guy says that security and privacy concerns about social media are, "massively overblown."

Healthcare Info Security podcast: Guy Kawasaki on the Power of Social Media

I get where Guy's coming from - he's really commenting on some individuals over-sensitivity to targeted marketing campaigns and the difference between regulated info like personal healthcare and financial information and info that might be considered "private", but doesn't so much represent something risky or exploitable.

But at the same time, enterprises (especially in regulated industries) need to mindful of the fact that - just as with email - it's fairly easy to run afoul of data protection and privacy regulations over social media.

Regular readers know that I've got a whole raft of facts about that (if you've never seen those before, you can find many of those here in the blog, or download my latest report at http://www.proofpoint.com/outbound.)