Employees & Email Are a Data Security Disaster Waiting to Happen

Employees & Email Are a Data Security Disaster Waiting to Happen

Businesses are being inundated with threats to their data security as cybercriminals hunt for fresh stores of data to peddle in the booming dark web data markets. With cybercrime numbers rising every day, it may seem like bad actors are the biggest threat to data security that a company will encounter. But that’s not the case. The biggest threat to data security that a company faces every day is actually a lot closer to home: its employees. Human actions lead to most data security incidents, but companies can mitigate the risk of a data exposure nightmare without breaking the bank.

What Challenges Do IT Teams Face When Contending with Data Loss Through Email?

The leading case of a security breach of any kind will always be human beings. Nearly 60% of organizations in a recent Ponemon Institute study said that they have experienced data loss or exfiltration incidents caused by an employee data handling mistake using email in the last 12 months. Other channels that have also led to data loss because of employee mistakes include cloud file-sharing services (62%) and instant messaging platforms (57%). Drilling deeper, almost one-quarter of businesses studied said that they experience a security incident caused by employee email handling every day.

Having a practiced incident response plan is essential because this kind of data loss can be a challenge for IT teams to find. Discovering an email-related data security incident is slow. It takes security teams an average of about three days to detect and remediate a data loss and exfiltration incident caused by a malicious insider via email, and almost 48 hours to detect and remediate an email-related data security incident caused by a negligent employee. What makes preventing this kind of data loss so challenging? A lack of visibility of sensitive data that employees transferred from the network to personal email is the most common barrier (54%) to preventing data loss.

What Are Some of the Reasons Why Employees Mishandle Data?

Getting employees on board with security policy compliance and getting them to practice smart data handling behavior can be a challenge. Many employees don’t have a clue about the importance of their behavior in maintaining security, let alone the importance of maintaining strong security around data. Employee failure to follow security policies is the culprit in an estimated 40% of data losses. That’s often the consequence of poor or little employee security awareness training. An estimated 45% of respondents in a HIPAA Journal survey said that they don’t need to worry about cybersecurity safeguards because they don’t work in the IT department. That’s not just a data security problem, it’s a gateway to a cybersecurity disaster.

When considering data security risks, it’s also important to keep an eye out for malicious insiders as a source of data loss. A little over one-quarter of data loss in this study could be attributed to malicious insiders. A company’s proprietary data like customer records, formulas, blueprints, source code, playbooks, budgets, job bids, and other corporate secrets can do a lot of damage in the wrong hands, and it can also sell for a lot of money on the dark web. It takes security teams up to three days to discover and stop a malicious insider data theft incident that involves email. The more privileged the employee, the longer it can take (and the more damage they can do).

Employees that have recently left an organization or who have been terminated are a major data security threat, and they’re highly likely to send themselves data via an email on their way out.  An estimated 45% of employees download, save, or send work-related files before they leave their job. This happens most frequently in the tech, financial services, business consulting, and management sectors. They’ll take everything from client lists to trade secrets. Employees are most likely to steal data like intellectual property within 90 days of their resignation, with 70% of insider intellectual property thefts taking place in that window.

Despite these risks, organizations do not have adequate training in place. While 61% of organizations say that they conduct security awareness training, only about half of them have programs that educate employees about the sensitivity and confidentiality of the company’s data. Failure to invest in security awareness training is a major barrier to security and compliance success. It’s overwhelmingly apparent that security and compliance awareness training works – and companies that engage in regular security awareness training have 70% fewer security incidents.

Source: ID Agent

Free Guide

16 Questions You MUST Ask Before Hiring Any IT Company