Employees' Emails, File Sharing Are Data Breach Trojan Horses: Survey
Employees' emailing and file sharing practices are the leading cause of accidental data breaches, according to a new survey. More organizations are turning to software, encryption and employee training in response.
February 26, 2019 at 01:30 PM
4 minute read
Email is the most common technology used in accidental data breaches, according to a survey of 1,000-plus U.S. companies sponsored by data security platform Egress and conducted by Opinion Matters research group.
Eighty-three percent of organizations surveyed said they experienced an accidental data breach. When an employee has unintentionally exposed sensitive data, 51 percent of respondents said it was through an external email provider, such as Gmail and Yahoo. Meanwhile, 46 percent said corporate email was used in an accidental data breach.
Common employee email pitfalls include sending emails to the wrong address, forwarding sensitive information and sharing attachments with hidden sensitive content, according to the survey.
The respondents were senior and midlevel security professionals.
Egress cited the “explosive growth” in unstructured data, such as emails, documents and files, and the growing methods employees can use to communicate as factors that have significantly increased the chance of exposing sensitive data.
Collaboration and file share services like Dropbox and Slack are becoming commonly used at organizations and as a result, sensitive information is being exposed, the survey noted. Indeed, 40 percent said file sharing technology was used in employee-caused breach accidents, followed closely (38 percent) by collaboration tools.
The survey singled out encryption technology as a standard best practice for securing and sharing sensitive data through emails and file sharing. However, only 79 percent of employees said they are required to use encryption when externally sharing personally identifiable information (PII) or critical business data, while, 64 percent were required to use encryption when internally sharing PII or critical business data.
While useful, Egress chief technology officer and co-founder Neil Larkins noted that encrypting everything isn't the solution to minimizing breaches. “Encryption plays a part in this but doesn't entirely solve the issue,” he said, adding that other steps to take include deploying software that logs normal patterns of data sharing and also flags abnormal behavior.
Despite the frequency of accidental breaches, organizations did not see them as an immediate threat. While most respondents said their biggest IT security risk was ransomware and malware (48 percent) and external attacks (45 percent), only 40 percent said accidental data breaches by employees was a risk.
Larkins said that outlook was “historical” and is beginning to evolve as organizations are learning that phishing attacks are effective and the most common data attack.
Likewise, Jackson Lewis privacy, data and cybersecurity practice group founder and chair Joseph Lazzarotti said more companies are training employees to spot phishing. But he was concerned about the survey's finding that only 59 percent of companies are implementing new security policies in response to data regulation laws.
“You want those numbers to be higher,” Lazzarotti said. “Given all the breaches that have happened in the last 10 years, you'd hope that number was higher in terms of companies taking steps.”
He noted that as more states enact data privacy and breach laws, more organizations in turn are pushed to implement security policies that are in-line with regulations. “There are laws being added to the books that will continue to give companies more reasons to take these steps … hopefully the numbers will go up.”
New regulations such as the GDPR and the pending California Consumer Privacy Act have influenced 54 percent of respondents to invest in new security technology, according to the survey. Data privacy regulations have also led to 52 percent of organizations to invest in employee training and 44 percent have restricted the use of of external data sharing tools. Meanwhile, only 8 percent said new regulations haven't changed their organization's data sharing habits.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllSEC Fines 4 Companies $7M for Downplaying Breaches Tied to Massive SolarWinds Hack
Joseph Saveri Law Firm, Co-Counsel File 9th Circuit Appeal in Lawsuit Targeting GitHub's Use of Code to Train AI Models
Legal Leaders See AI's Multitude of Uses as Both Blessing and Curse
Lawyers Are Adopting Gen AI Five Times Faster Than the Cloud
Trending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Election 2024: Nationwide Judicial Races and Ballot Measures to Watch
- 3Guarantees Are Back, Whether Law Firms Want to Talk About Them or Not
- 4How I Made Practice Group Chair: 'If You Love What You Do and Put the Time and Effort Into It, You Will Excel,' Says Lisa Saul of Forde & O'Meara
- 5Abbott, Mead Johnson Win Defense Verdict Over Preemie Infant Formula
- 6How Much Does the Frequency of Retirement Withdrawals Matter?
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250