Today we released the latest edition of our Outbound Email and Data Loss Prevention in Today's Enterprise report, now in its seventh year. As always, this report contains a huge number of interesting findings. Check out the video preview, above, for just a few of the top findings. This year, IT decision makers from 261 large US enterprises (all with 1000 or more employees) responded to our survey, conducted with the help of Osterman Research.
You can find more highlighted findings about how large enterprises manage data loss risks in our press release. Better yet, download the complete report, by visiting http://www.proofpoint.com/outbound.
I'll be blogging more about this throughout the week, but here are just a few of the most interesting findings:
Proofpoint found that, despite a growing awareness of data loss risks, large enterprises continue to be impacted by data loss at a surprising rate:
36% of respondents said their organization was impacted by the exposure of sensitive or embarrassing information in the past 12 months.
31% of respondents said their organization was impacted by the improper exposure or theft of customer information in the past 12 months.
29% of respondents said their organization was impacted by the improper exposure or theft of intellectual property in the past 12 months.
Enterprise concerns and data loss events from social media continued to rise in the past 12 months:
Social Networking Sites (such as Facebook and LinkedIn): 20% of companies investigated the exposure of confidential, sensitive or private information via a post to a social networking site. 7% of companies terminated an employee for social networking policy violations. Twenty percent disciplined an employee for such violations. 53% are highly concerned about the risk of information leakage via social networking sites. 53% explicitly prohibit the use of Facebook, while 31% explicitly prohibit use of LinkedIn.
Blog and Message Board Postings: 25% of companies investigated the exposure of confidential, sensitive or private information via a blog or message board posting. 11% of companies terminated an employee for blog or message board posting policy violations. 54% are highly concerned about the risk of information leakage via blogs and message boards.
SMS and Web-Based Short Messaging Services (such as Twitter): 17% of companies investigated the exposure of confidential, sensitive or private information via one of these services. 51% are highly concerned about the risk of information leakage. 49% explicitly prohibit the use of Twitter.
Media Sharing Sites (e.g., YouTube, Vimeo): 18% of companies investigated the exposure of confidential, sensitive or private information via shared video or audio m5edia. 9% of companies terminated an employee for media sharing/posting policy violations. 21 disciplined an employee for such violations. 52% are highly concerned about the risk of information leakage. 53% explicitly prohibit the use of media-sharing sites.
As part of our launch this week of a major update to Proofpoint Enterprise Archive, our SaaS email archiving solution, Proofpoint has licensed a great new report from analyst firm Gartner. According to this report:
"Organizations are drowning in e-mail and often find it difficult to get the problem under control. Very few companies have a comprehensive and well-enforced e-mail retention program which determines what messages are kept and for how long.
A message retention program, however, is becoming a business necessity as organizations struggle to comply with external regulatory requirements, internal records management needs, demands for e-mail discovery to support litigation efforts and demands from users for preservation of legitimate business messages."
The anti-spam team over in the Proofpoint Attack Response Center shared some statistics with me about spam trends in Q2 (April through June) of 2010 that I thought I would relate here.
First, the spam team provided a breakdown of the top 10 spam-sending countries for Q2 and you can see a graphical view of that at right (click the image for a larger view).
This data, compiled from spam messages that hit Proofpoint's spam "honeypots" (email addresses and email servers that attract and collect spam email messages), shows that the US was the top spam sending nation during the second quarter. Brazil and India took the #2 and #3 positions—unsurprisingly as the recently released Proofpoint/Commtouch Q2 Internet Threats Trend Report showed those two nations as the top hotspots for botnet infestation.
Another interesting trend observed during Q2 is that, in general, malicious email messages continued to become more difficult to detect—that is, spammers continued to innovate and use more complex obfuscation techniques. The percentage of messages containing an obvious spam URL destination, for example, fell by more than half. Similarly, image-based spam messages declined by more than a third and messages with virus-infected attachments fell by more than a quarter.
Since overall spam levels didn't decline during the quarter, what's taking the place of those easier-to-detect spam messages?
Proofpoint anti-spam engineer Scott Panzer tells me that "spoof" messages (the type commonly used in phishing attacks) have been generally on the rise and that Proofpoint's anti-spam technology catches these using more predictive approaches. (For a great deal of information on the unique, machine learning techniques that Proofpoint uses to stop spam, see our whitepaper about Proofpoint MLX.)
Proofpoint customers weren't affected by the increasing complexity of spam messages during the quarter, however, as Proofpoint's anti-spam effectiveness actually increased from an average of 99.93% during Q1 to 99.94% during Q2. As noted in Gartner's latest Magic Quadrant for Secure Email Gateways, Proofpoint is one of the few email security vendors that publicly publishes its ongoing anti-spam effectiveness. You can view Proofpoint's spam detection accuracy for the last 190 days by visiting:
[Update July 23, 2010: The Ministry of Defense responds to these disclosures of mobile device losses in eWeek Europe's coverage of the story. Interesting reading. Find the entire story, including the MoD's response here: MoD Loses 340 Laptops in Two Years. Among other comments, an MoD spokesperson told eWeek:
“Yes the figures are high, but it should be remembered that the figures come from a two year period between June 2008 and May 2010. A lot of encryption technologies was brought in later in this period, and procedures such as how laptops are booked in and out, have they been encrypted, have been tightened up.”]
Proofpoint's public relations and research partner in the UK, LEWIS PR, issued an announcement today reporting findings from a UK Freedom of Information request about the frequency of equipment and data losses from lost or stolen equipment.
One of the most shocking findings? Britain's Ministry of Defense lost - or had stolen - 340 laptops in the past two years and less than half of those devices used encryption to protect the data they stored. The cost of the equipment is estimated at more than half a million UK pounds.
And it's not just laptops that went missing: Hundreds of CDs, DVDs, memory sticks, hard drives and mobile phones also were lost.
The full release has info on many more UK government agencies that were hit by extensive mobile device losses or thefts. As I've mentioned here repeatedly, these types of losses are quite frequent. For example, Proofpoint's 2009 annual research on data loss risks showed that more than 20% of large US enterprises investigated the exposure of confidential, sensitive or private information via a lost or stolen mobile device or storage media in the previous 12 months. And while I'm still analyzing the data, the 2010 statistics show an increase over previous years.
This news has been widely reported in the UK IT press today, including SC Magazine, where I'm quoted as saying of these losses:
"While the value of the lost and stolen equipment is staggering, the potential losses of private information about and belonging to UK citizens, classified government information and other non-public information could easily be several times greater. That only 20 per cent of the devices lost from the MoD were protected by encryption is shocking. Organisations of all types need to be aware that, after leaks via email, lost and stolen mobile devices are one of the top sources of data breaches.”
Regular readers of this blog know that I've been following the legal proceedings around a text messaging privacy case involving City of Ontario, California police officer Jeff Quon and his employer, the Ontario (California) Police Department. Last year, the 9th Circuit Court sided with several police officers (including Quon) who had sued the department for reading hundreds of personal text messages (many of which were of a sexually explicit nature) that officers had sent and received on department-issued pagers.
The City appealed that ruling to the Supreme Court, which has issued its ruling today in City of Ontario v. Quon, U.S. Supreme Court case No.08-1332. In its ruling, the high court reversed the 9th Circuit's Court finding, ruling that the City's search and audit of Quon's text messages was reasonable. (You can read the full text of the court's decision here: City of Ontario, California, v. Quon (PDF format).)
Though this particular case involved the privacy of text messages and the privacy of government employees that send them, the outcome of this case will have an impact on workplace monitoring policies in all types of industries – not just government – and for all types of electronic communication mediums.
One of the main take-aways from the Supreme Court’s ruling today is that the employer’s policies, and the clarity with which those policies are communicated, are crucial to establishing what sort of “reasonable expectation of privacy” employees should have.
In this particular case, the court found that the City of Ontario’s search and audit of text transcripts was reasonable, not excessively intrusive and had a clearly work-related purpose (the City was trying to determine if employees’ text messaging limits were too low and should be increased – during this audit, the content of Quon’s personal messages came to light).
The court also found that Quon did not have a reasonable expectation of privacy, in part because Quon had signed the city’s Computer Usage, Internet and Email Policy, which stated that the City “reserves the right to monitor and log all network activity… with or without notice.”
My advice to employers and employees is as follows:
Companies that monitor employees' outbound email and other electronic communications should clearly communicate to them what is being monitored and how. If that includes transmissions to "personal" email accounts via company networks or devices, this should be explicitly stated. If the company feels that employees should not have a reasonable expectation of privacy, this should be clearly communicated in a formal, written policy.
Additionally, as part of their electronic communications policies, companies should discourage employees from using personal accounts to conduct company business.
Employees should be aware that, even in the absence of a formal policy, their employer may be monitoring or auditing their electronic communications. For example, Proofpoint’s own research (http://www.proofpoint.com/outbound) finds that 46% percent of large US companies perform regular audits of outbound email content.
Of course, employers have many legitimate reasons for monitoring the content of email, web messages and text messages sent from their organizations, not the least of which concerns about compliance with data protection regulations including HIPAA and GLBA.
In our 2009 research on this topic, Proofpoint found that 43% of US companies had investigated a suspected email leak of confidential or proprietary information in the past 12 months and 34% had investigated an email-based violation of privacy or data protection regulations in the past 12 months.
With respect to text messaging, Proofpoint found that 13% of large US companies had investigated the exposure of confidential, sensitive or private information via an SMS text or Web-based short message service (e.g., Twitter). And 41% of those companies said that they are highly concerned about the risk of information leakage via Web-based short messaging.
More such statistics are available in Proofpoint’s 2009 Outbound Email and Data Loss Prevention in Today’s Enterprise report, which is available from http://www.proofpoint.com/outbound. (The 2010 edition of this report will be available in the coming weeks.)
Once again, I am quoted giving a variation on my golden rule of email, "Don't put anything in writing that you don't want the whole world to see." This time, the venue is FINS (a finance careers site that's part of the Wall Street Journal's online network). In, "Email Best Practices for the Workplace," reporter Toddi Gutner quotes me and Proofpoint's oft-repeated statistics on email discovery and email monitoring.
In light of recent exposures of internal emails at firms like Goldman Sachs, this article aims to answer the question, "Are there times when an email shouldn't have been sent?" While aimed at financial services professionals, this article provides some great advice that workers in any industry should consider when using email at work.
To summarize the guidelines presented in the article for using email at work:
Keep work email for work matters. If you are using your company computer and your company email, it shouldn't be used for personal matters.
Communicate clearly and carefully. Finance professionals, such as traders and portfolio managers who use email to verify prices of stocks and bonds, need to ensure that the information they send is accurate.
Be professional. Don't write or send an email when you're angry or emotional. If you're upset, consider waiting 24 hours.
Consider the telephone. When considering writing an email on a sensitive topic, consider picking up the phone instead.
There's a lot more detail in the full article, which can be found here:
In a news item that won't come as any big surprise to regular readers of this blog, Healthcare InfoSecurity reports that Oceanside California's Tri-City Medical Center will terminate five employees and discipline another for posting discussions about hospital patients via Facebook.
According to the article, "5 to be Fired for Social Media Use," there may not have been (strictly speaking) a violation of HIPAA or HITECH privacy rules, but the CEO of the hospital said that an investigation had, "yielded sufficient information to warrant disciplinary action."
As I've reported on many previous occasions, discipline and termination actions for these sorts of activities are far from rare. In Proofpoint's 2009 survey of more than 200 email decision makers at large enterprises, we found the following:
17% of large US companies investigated the exposure of confidential, sensitive or private information via a posting to a social networking site.
10% disciplined an employee for violating social networking policies, while 8% had fired an employee for such a violation (and this just within the preceding 12 months).
Overall, 34% of responding companies (from all industries) had investigated a suspected violation of privacy or data protection regulations in the past 12 months.
In the forthcoming (2010) edition of this report, I expect that we'll see an increase in both the level of concern and the number of disciplinary actions taken by companies with respect to misuse of social media.
eWeek Europe has been doing a good job of following news out of the UK about efforts by the Information Commissioner's Office (ICO) to crack down on breaches of personal data.
In a new story out today, ICO Cracks Down on Data Breaches, But no Fines, writer Sophie Curtis points out that while the ICO has ruled that several large-scale exposures of private healthcare and identity information were violations of the UK's Data Protection Act, it has yet to impose fines. (Earlier this year, the ICO was given authority to levy fines of up to 500,000 pounds.)
Earlier in the week, the ICO published a list of all the data breaches that had been reported to it since 2007, along with some analysis of the causes and sources of those breaches. Click the illustration in this post to view the ICO's breach notification spreadsheet.
A quick look shows that stolen data and hardware are the most common cause, while erroneous disclosures (which I presume includes a healthy number of inadvertent leaks via email and the web) are the second most common cause. eWeek Europe has some additional analysis in their article, "NHS Tops ICO List for Most Data Breaches."
In their article today, eWeek included some Proofpoint statistics about UK data loss concerns that we had collected at the recent Infosecurity Europe 2010 show, along with commentary from our own Ken Yearwood:
...a survey by SaaS email security provider Proofpoint also found that 93 percent of respondents were concerned about the potential for private or personal information to be leaked via email.
This is despite the fact that nearly two thirds of those surveyed said that their company had implemented data protection regulations, and around half had already deployed some kind of email encryption system.
“Enterprises have a pressing need to adhere to regulations that require special handling of sensitive information in emails, and require automatic methods for ensuring compliance,” said Ken Yearwood, director NEMEA at Proofpoint. “It is gratifying to see that passwords are now commonplace and that businesses are embracing security mechanisms such as full disk encryption to ensure that the company is not at risk in the event that a laptop is lost or stolen.”
Proofpoint exhibited recently at the 2010 Infosecurity Europe show, held in London, and as we did at the 2010 RSA conference, we conducted an electronic survey about email trends that 140 attendees (81% of them with IT, security or messaging titles and the balance with analyst/legal/compliance or non-IT titles) took the time to fill out.
Among the findings:
43% of respondents said they are "very concerned" about inadvertent leakage of private or personal information from their organizations via email. Fully half said they are "somewhat concerned" about this issue. Just 7% claim that they are "not concerned" about these sorts of data leaks.
That concern is well justified since nearly two-thirds (64%) of respondents said that their organizations are subject to data protection regulations that require certain types of email to be encrypted or handled with particular care, because the contain private or confidential email. Only 25% said their organizations were not subject to such data protection regulations.
In this short video, several attendees discuss the various regulations (such as the UK's Data Protection Act, PCI-DSS, etc.) that apply to their company's use of email:
The trend toward increasing the security around private data is something we've reported on quite frequently here in the blog and the growing awareness of data loss issues is reflected in some of our other survey findings. For example, 94% of respondents who have a corporate laptop said that it was password protected and more than half (58%) said that their corporate laptop used full disk encryption.
In addition, nearly half of respondents (49%) said their organization had already deployed an email encryption solution. Another 21% said that their organization intends to deploy an email encryption solution in the future.
On the topic of inbound email security, 40% of respondents said their organizations had been the target a "spear phishing" attack in the past 12 months. That is, they were targeted by a phishing email designed specifically to compromise their own email users. (Our survey from RSA, where most respondents were US-based, found that nearly half of respondents believed their organizations had been the target of spear phishing attack in the last 12 months.)
35% of respondents said that effectiveness and accuracy is the most important factor when selecting an email security solution, while 26% cited cost. 20% said that "ease of administration" was the most important factor. 8% cited available deployment method (e.g., SaaS vs. appliance) and 4% cited vendor brand/reputation as the most important decision factor when selecting an email security solution.
Survey respondents were also asked about their top email annoyances. It's probably no surprise that spam and phishing emails that get through the organization's spam filter were the top two annoyances (48% and 21%, respectively). But certain types of legitimate email were most annoying for some of our survey respondents:
17% find legitimate email newsletters/marketing emails that are sent too frequently their top email annoyance.
9% find legitimate emails from coworkers or business contacts "that I just don't have time to answer" as most annoying. (As I mentioned in my post on RSA survey findings, I still fall into this camp!)
Just 2% find social media notifications and other types of legitimate, but non-essential, emails as most annoying.
In the following video, attendees on the Infosecurity Europe show floor discuss their top email annoyances:
SC Magazine news editor Dan Raywood (who frequently mentions my posts here in his own articles for SC) has been tweeting news about the formation of the new coalition government in the UK (now confirmed as a Conservative-led, Liberal Democrat-allied coalition with Prime Minister David Cameron [Conservative] and Deputy Prime Minister Nick Clegg [Liberal Democrat] at the helm).
With tongue only gently planted in cheek, Dan (follow him @DanRaywood on Twitter) suggested in a tweet yesterday that data privacy might have been a major driver for the failure of Labour to form a coalition government:
"Rumour that ID cards are what caused Clegg to turn back on Labour coalition.So could it be said that data privacy caused the new government?"
And, indeed, one of the first actions of the new government is reported to be the introduction of a "freedom bill" that will extend Freedom of Information laws and repeal ID cards and biometric passports. (See "Nick Clegg Confirmed as deputy prime minister" among other articles.)
When Proofpoint interviewed attendees at the recent Infosecurity Europe show, we found a great deal of confusion (maybe even a touch of American-style apathy) about which UK political party would do the most to improve cybersecurity in general. Our friends at LEWIS PR interviewed attendees on this topic and you can hear firsthand what they thought in this short video:
We asked 140 attendees at Infosecurity Europe "Ahead of the UK general election, which political party do you think would do the most to improve cyber security in the UK?" and found that more than half of respondents (57%) said they didn't know. The rest of the responses were as follows:
Labour: 7% Conservatives: 12% Liberal Democrats: 11% Other: 13%
It'll be interesting to follow how the UK's data privacy regulations change in the coming months since these topics are clearly on the new government's agenda!
