Today we released the latest edition of our Outbound Email and Data Loss Prevention in Today's Enterprise report, now in its seventh year. As always, this report contains a huge number of interesting findings. Check out the video preview, above, for just a few of the top findings. This year, IT decision makers from 261 large US enterprises (all with 1000 or more employees) responded to our survey, conducted with the help of Osterman Research.
You can find more highlighted findings about how large enterprises manage data loss risks in our press release. Better yet, download the complete report, by visiting http://www.proofpoint.com/outbound.
I'll be blogging more about this throughout the week, but here are just a few of the most interesting findings:
Proofpoint found that, despite a growing awareness of data loss risks, large enterprises continue to be impacted by data loss at a surprising rate:
36% of respondents said their organization was impacted by the exposure of sensitive or embarrassing information in the past 12 months.
31% of respondents said their organization was impacted by the improper exposure or theft of customer information in the past 12 months.
29% of respondents said their organization was impacted by the improper exposure or theft of intellectual property in the past 12 months.
Enterprise concerns and data loss events from social media continued to rise in the past 12 months:
Social Networking Sites (such as Facebook and LinkedIn): 20% of companies investigated the exposure of confidential, sensitive or private information via a post to a social networking site. 7% of companies terminated an employee for social networking policy violations. Twenty percent disciplined an employee for such violations. 53% are highly concerned about the risk of information leakage via social networking sites. 53% explicitly prohibit the use of Facebook, while 31% explicitly prohibit use of LinkedIn.
Blog and Message Board Postings: 25% of companies investigated the exposure of confidential, sensitive or private information via a blog or message board posting. 11% of companies terminated an employee for blog or message board posting policy violations. 54% are highly concerned about the risk of information leakage via blogs and message boards.
SMS and Web-Based Short Messaging Services (such as Twitter): 17% of companies investigated the exposure of confidential, sensitive or private information via one of these services. 51% are highly concerned about the risk of information leakage. 49% explicitly prohibit the use of Twitter.
Media Sharing Sites (e.g., YouTube, Vimeo): 18% of companies investigated the exposure of confidential, sensitive or private information via shared video or audio m5edia. 9% of companies terminated an employee for media sharing/posting policy violations. 21 disciplined an employee for such violations. 52% are highly concerned about the risk of information leakage. 53% explicitly prohibit the use of media-sharing sites.
Financial services firm National Financial Partners has been a long-time user of Proofpoint's SaaS email archiving solution and, more recently, also deployed Proofpoint's SaaS solutions for inbound and outbound email security.
Dán Salomon, NFP's Senior Vice President of Technology, kindly took the time to speak with me about how his organization uses Proofpoint's SaaS solutions and why he feels that performing email archiving and email security functions "in the cloud" is more secure than taking an on-premesis approach. Beyond the cost advantages of SaaS, Dán explains the other business drivers for adopting Software-as-a-Service in this video (recorded on location at Proofpoint's 2010 "Inner Circle" customer event in New York).
My thanks to Dán and NFP for his willingness to discuss his approach and for allowing us to share this interview here!
In a move that surprised many, but will make a lot of sense to regular readers of this blog, Intel announced today that it has entered into a definitive agreement to buy diversified security vendor McAfee for $7.68 billion, a significant premium over McAfee's share price at yesterday's market close.
Echoing many of the same issues that Proofpoint CEO Gary Steele noted in his recent guest blog post at Byron Acohido's "Last Watchdog" blog (see "Why Wall Street is Boosting Investments in Tech Security"), Intel and McAfee gave the following rationale for the acquisition:
First, security is fundamental to today's computing environment. Intel CEO Paul Otellini is quoted as saying, "In the past, energy-efficient performance and connectivity have defined computing requirements. Looking forward, security will join those as a third pillar of what people demand from all computing experiences."
And those "computing experiences" are becoming more and more pervasive. The explosive growth of Internet connected devices—not just PCs but smartphones, tablet computers (like the iPad, the rumored Google Chrome OS pad, etc.), even ATMs, medical diagnostic equipment and on and on—requires better security for those devices to prevent exploitation and protect private data held and processed by those devices.
As security vendors regularly point out, security threats continue to proliferate rapidly and are becoming more complex and more costly to remediate. In the email security space, for example, targeted attacks such as spear phishing, the use of multiple attack vectors (combining email, web and social media components) and more clever social engineering are now commonplace. "The cyber threat landscape has changed dramatically over the past few years, with millions of new threats appearing every month,” says McAfee CEO Dave DeWalt.
McAfee's online announcement also notes that, "The current cybersecurity model isn’t extensible across the proliferating spectrum of devices – providing protection to a heterogeneous world of connected devices requires a fundamentally new approach to security." Which I think is a rather verbose way of saying that network security in today's world needs a major "re-think" and that certain security functions and controls need to migrate further down the IT application stack and be more of an integral part of the hardware and firmware that power new devices.
Additionally, Intel notes that this acquisition is part of their ongoing effort to broaden its IT footprint, delivering not just hardware but software components. Notes the Intel announcement, "Intel has made a series of recent and successful software acquisitions to pursue a deliberate strategy focused on leading companies in their industry delivering software that takes advantage of silicon. These include gaming, visual computing, embedded device and machine software and now security." (Intel's acquisitions of embedded/mobile software vendor Wind River and gaming AI/physics vendor Havok are cited.)
Expect this news to spur ongoing M&A activity in the security space. And, more importantly, the trend toward making security more of a core component of computing devices—rather than an afterthought—will make for a safer computing world.
We're excited to announce a new update to Proofpoint Enterprise Archive, our SaaS email archiving solution today, along with several new email archiving resources.
Pictured at left is our updated datasheet about Proofpoint Enterprise Archive, which has been enhanced with information about the latest features. (You can click the image to snag a PDF copy.)
The new version adds full support for Microsoft Exchange Server 2010, including support for Outlook Web Access, access to stubbed attachments and advanced search capabilities.
It also supports organizations that are migrating from earlier versions of Exchange—or that have complex email environments—because it's compatible with environments that use multiple Microsoft Exchange server versions including 2003, 2007 and 2010.
One of the primary benefits of Proofpoint Enterprise Archive is that it helps reduce legal discovery risks and costs. By providing a secure, searchable repository of all email messages, Proofpoint's email archiving solution makes it easy to perform early case assessments, instantly preserve data in active legal holds and enforce email retention policies.
“eDiscovery is critical to our firm, as attorneys must be able to store and search email records quickly during the legal hold stage at the beginning of the litigation process,” says Proofpoint customer Steven Heller, director of technology for law firm Graubard Miller (for more on the benefits Steven and his firm have realized, see this previous blog post). “We continue to trust Proofpoint for our archiving needs and are thrilled with its ability to generate search results in near-real time. New legal hold features will empower our team to track and identify key information faster and easier than ever before.”
The new release includes a variety of enhancements to help streamline the eDiscovery process:
Proofpoint Enterprise Archive’s active legal hold capabilities allow attorneys and staff to instantly preserve data in legal holds, in contrast to inefficient, manual, methods that are difficult to track and audit and increase legal risks of data spoliation.
Enhanced eDiscovery capabilities make it easier for legal teams to search data in near real-time to prepare for HR, regulatory or litigation issues. Proofpoint Enterprise Archive now supports data export to EDRM XML, a standard format used in the legal industry to simplify the movement of archived data to other legal analysis tools. New search capabilities also benefit end-users who can more easily perform complex searches of their own archived email.
Proofpoint Enterprise Archive includes compliance and supervision features for industry-specific rules and regulations such as FINRA, GLBA and HIPAA, as well as SEC policies for email storage. For organizations with supervisory compliance requirements (such as compliance with FINRA rules) Proofpoint Enterprise Archive now makes it easier to handle larger groups of supervised users, perform supervision searches and randomly sample data for auditing purposes. An enhanced supervision workflow allows records managers and compliance officers to more easily manage multiple supervision queues.
You can learn more about the solution in our complete press release... And see my next blog post for the link to a new Gartner report on email archiving strategies...
In a press release issued today, Proofpoint recapped quarterly results from Q2 2010, announcing 7 years (28 consecutive quarters) of increasing quarterly revenue. As we've seen in previous quarters, data privacy and regulatory compliance concerns were an important driver for new business once again.
Proofpoint CEO Gary Steele said that, “There are four key issues driving enterprise IT security spend right now—an increasingly sophisticated spam and malware threat landscape, urgency around protecting consumer and data privacy, pressure to address electronic discovery issues and a realization that SaaS can greatly reduce security and compliance costs. Proofpoint’s solutions are ideally suited to meeting these needs.”
Regular readers of this blog will recognize that the trend toward more strict data protection regulations and increasing eDiscovery needs isn't particularly new. However, one very interesting new trend reported in Proofpoint's latest release is that the Federal market for SaaS solutions is definitely heating up.
One new deal mentioned in the press release is the adoption of Proofpoint's SaaS email archiving solution by a large US Federal agency for an initial 6000 mailboxes with plans to eventually roll the solution out to archive email for more than 70,000 of the agency's employees.
Commenting on the deal, Steele says, “To date, Federal agencies have been extremely cautious about adoption of SaaS solutions and this deployment of Proofpoint Archive will be among the first and largest SaaS deployment—of any kind—in the Federal market. The selection of Proofpoint is a strong validation of the unique security, reliability and scalability features of our SaaS architecture and applications.”
There's been quite a bit of news coverage recently about Federal adoption of cloud computing-based solutions—for example, the ongoing battle between Google and Microsoft to provide email hosting services for 15,000 employees at the GSA (see, "Google cloud-computing applications get certification for federal government use," in Sunday's Washington Post for just one example).
"Over the years, Proofpoint has gained strong momentum in the public sector, protecting more than one million government email inboxes including many federal civilian agencies, department of defense organizations such as the US Coast Guard, and the intelligence community. By achieving important information assurance certifications such as NIAP’s Common Criteria EAL2+ and NIST FIPS 140-2, Proofpoint is trusted to protect mission-critical applications and mitigate risk through its email security, archiving and data loss prevention solutions. "
Of course, it's not just the Federal government market that's moving to SaaS: Enterprises in the private sector continue to move to SaaS. As just one example, Proofpoint's release notes that the number of messages under management by its SaaS email archiving solution doubled in the past 12 months and that this trend is accelerating.
For more on the trends that drove Proofpoint's revenues to record levels once again, see the full press release:
[Update July 23, 2010: The Ministry of Defense responds to these disclosures of mobile device losses in eWeek Europe's coverage of the story. Interesting reading. Find the entire story, including the MoD's response here: MoD Loses 340 Laptops in Two Years. Among other comments, an MoD spokesperson told eWeek:
“Yes the figures are high, but it should be remembered that the figures come from a two year period between June 2008 and May 2010. A lot of encryption technologies was brought in later in this period, and procedures such as how laptops are booked in and out, have they been encrypted, have been tightened up.”]
Proofpoint's public relations and research partner in the UK, LEWIS PR, issued an announcement today reporting findings from a UK Freedom of Information request about the frequency of equipment and data losses from lost or stolen equipment.
One of the most shocking findings? Britain's Ministry of Defense lost - or had stolen - 340 laptops in the past two years and less than half of those devices used encryption to protect the data they stored. The cost of the equipment is estimated at more than half a million UK pounds.
And it's not just laptops that went missing: Hundreds of CDs, DVDs, memory sticks, hard drives and mobile phones also were lost.
The full release has info on many more UK government agencies that were hit by extensive mobile device losses or thefts. As I've mentioned here repeatedly, these types of losses are quite frequent. For example, Proofpoint's 2009 annual research on data loss risks showed that more than 20% of large US enterprises investigated the exposure of confidential, sensitive or private information via a lost or stolen mobile device or storage media in the previous 12 months. And while I'm still analyzing the data, the 2010 statistics show an increase over previous years.
This news has been widely reported in the UK IT press today, including SC Magazine, where I'm quoted as saying of these losses:
"While the value of the lost and stolen equipment is staggering, the potential losses of private information about and belonging to UK citizens, classified government information and other non-public information could easily be several times greater. That only 20 per cent of the devices lost from the MoD were protected by encryption is shocking. Organisations of all types need to be aware that, after leaks via email, lost and stolen mobile devices are one of the top sources of data breaches.”
NetworkWorld's Ellen Messmer has a really interesting article posted yesterday at NetworkWorld, reporting from Gartner's Security & Risk Management Summit (where Proofpoint is exhibiting, booth #27, BTW). In "Too many data-loss prevention tools become sheflware, says analyst", Messmer relates highlights of a presentation by Gartner DLP, security and encryption analyst Eric Ouellet, in which he talks about the challenges that many organizations face when deploying enterprise DLP solutions.
Of particular note, Ouellet discusses how many DLP deployments go awry because there's not enough involvement from business units who actually own responsibility for setting up and enforcing policies. "Organizations underestimate the need for the involvement of non-IT business units," Oullet says.
The whole article is worth a read and it provides an interesting "proof point" for something that we've been noting for quite a while... That multi-channel, enterprise DLP deployments (that involve the deployment of endpoint, network and discovery tools) are often more difficult and costly for organizations than they can really manage.
As an alternative, Proofpoint has long argued for a more pragmatic approach to DLP whereby the biggest risk vectors are addressed first (and, as I've noted many times, email continues one of the most significant channels for data loss - and one of the least controlled).
Rather than belabor that point here, I'd refer interested readers to this replay of an April 2010 web seminar featuring Proofpoint's Ken Liao, where Ken talks presents on precisely this topic:
Back to the NetworkWorld article, analyst Eric Ouellet is also quoted on the issue of "enterprise DLP" versus "channel DLP" (that is, addressing the DLP concerns in a specific protocol/channel, such as email):
... the market has evolved over the last year to include a second track for DLP that Gartner is calling "Single Channel DLP," which often focuses on the sole task of monitoring e-mail and attachments and ensuring e-mail encryption is properly used. "It provides you with enough to get you by," he said. Costs in this "Single Channel DLP" area can be in the $5 range for e-mail monitoring per employee.
The distinction between enterprise and channel DLP is discussed briefly in Gartner's 2010 Magic Quadrant for Secure E-mail Gateways, which also gives some detail on the DLP capabilities of each vendor in the email security market, including Proofpoint. You can view a copy of that magic quadrant, compliments of Proofpoint, by visiting:
Once again, I am quoted giving a variation on my golden rule of email, "Don't put anything in writing that you don't want the whole world to see." This time, the venue is FINS (a finance careers site that's part of the Wall Street Journal's online network). In, "Email Best Practices for the Workplace," reporter Toddi Gutner quotes me and Proofpoint's oft-repeated statistics on email discovery and email monitoring.
In light of recent exposures of internal emails at firms like Goldman Sachs, this article aims to answer the question, "Are there times when an email shouldn't have been sent?" While aimed at financial services professionals, this article provides some great advice that workers in any industry should consider when using email at work.
To summarize the guidelines presented in the article for using email at work:
Keep work email for work matters. If you are using your company computer and your company email, it shouldn't be used for personal matters.
Communicate clearly and carefully. Finance professionals, such as traders and portfolio managers who use email to verify prices of stocks and bonds, need to ensure that the information they send is accurate.
Be professional. Don't write or send an email when you're angry or emotional. If you're upset, consider waiting 24 hours.
Consider the telephone. When considering writing an email on a sensitive topic, consider picking up the phone instead.
There's a lot more detail in the full article, which can be found here:
In a news item that won't come as any big surprise to regular readers of this blog, Healthcare InfoSecurity reports that Oceanside California's Tri-City Medical Center will terminate five employees and discipline another for posting discussions about hospital patients via Facebook.
According to the article, "5 to be Fired for Social Media Use," there may not have been (strictly speaking) a violation of HIPAA or HITECH privacy rules, but the CEO of the hospital said that an investigation had, "yielded sufficient information to warrant disciplinary action."
As I've reported on many previous occasions, discipline and termination actions for these sorts of activities are far from rare. In Proofpoint's 2009 survey of more than 200 email decision makers at large enterprises, we found the following:
17% of large US companies investigated the exposure of confidential, sensitive or private information via a posting to a social networking site.
10% disciplined an employee for violating social networking policies, while 8% had fired an employee for such a violation (and this just within the preceding 12 months).
Overall, 34% of responding companies (from all industries) had investigated a suspected violation of privacy or data protection regulations in the past 12 months.
In the forthcoming (2010) edition of this report, I expect that we'll see an increase in both the level of concern and the number of disciplinary actions taken by companies with respect to misuse of social media.
Our friend Keith Shaw over at Network World has a great new "Panorama" podcast up today where two email archiving experts—Proofpoint's own Andres Kohn and AppRiver's James Dean—talk about the email archiving challenges that both enterprises and SMBs face.
In "E-mail Archiving Challenges: Two Perspectives", Andres takes the enterprise perspective while James represents the SMB space.
You can have a listen by visiting Network World's site here:
With eDiscovery, archiving and litigation readiness very much in the headlines these days (see my recent posts about BP and Piper Jaffray), you might want to learn more about the issues discussed in this podcast. In our upcoming live web seminar, "Surviving eDiscovery" we'll discuss initial steps for compliance and litigation readiness as well as provide practical advice for both legal and IT teams. To register, please visit:
