Employees' Emails, File Sharing Are Data Breach Trojan Horses: Survey

Email is the most common technology used in accidental data breaches, according to a survey of 1,000-plus U.S. companies sponsored by data security platform Egress and conducted by Opinion Matters research group.

Eighty-three percent of organizations surveyed said they experienced an accidental data breach. When an employee has unintentionally exposed sensitive data, 51 percent of respondents said it was through an external email provider, such as Gmail and Yahoo. Meanwhile, 46 percent said corporate email was used in an accidental data breach.

Common employee email pitfalls include sending emails to the wrong address, forwarding sensitive information and sharing attachments with hidden sensitive content, according to the survey.

The respondents were senior and midlevel security professionals.

Egress cited the “explosive growth” in unstructured data, such as emails, documents and files, and the growing methods employees can use to communicate as factors that have significantly increased the chance of exposing sensitive data.

Collaboration and file share services like Dropbox and Slack are becoming commonly used at organizations and as a result, sensitive information is being exposed, the survey noted. Indeed, 40 percent said file sharing technology was used in employee-caused breach accidents, followed closely (38 percent) by collaboration tools.

The survey singled out encryption technology as a standard best practice for securing and sharing sensitive data through emails and file sharing. However, only 79 percent of employees said they are required to use encryption when externally sharing personally identifiable information (PII) or critical business data, while, 64 percent were required to use encryption when internally sharing PII or critical business data.

While useful, Egress chief technology officer and co-founder Neil Larkins noted that encrypting everything isn't the solution to minimizing breaches. “Encryption plays a part in this but doesn't entirely solve the issue,” he said, adding that other steps to take include deploying software that logs normal patterns of data sharing and also flags abnormal behavior.

Despite the frequency of accidental breaches, organizations did not see them as an immediate threat. While most respondents said their biggest IT security risk was ransomware and malware (48 percent) and external attacks (45 percent), only 40 percent said accidental data breaches by employees was a risk.

Larkins said that outlook was “historical” and is beginning to evolve as organizations are learning that phishing attacks are effective and the most common data attack.

Likewise, Jackson Lewis privacy, data and cybersecurity practice group founder and chair Joseph Lazzarotti said more companies are training employees to spot phishing. But he was concerned about the survey's finding that only 59 percent of companies are implementing new security policies in response to data regulation laws.

“You want those numbers to be higher,” Lazzarotti said. “Given all the breaches that have happened in the last 10 years, you'd hope that number was higher in terms of companies taking steps.”

He noted that as more states enact data privacy and breach laws, more organizations in turn are pushed to implement security policies that are in-line with regulations. “There are laws being added to the books that will continue to give companies more reasons to take these steps … hopefully the numbers will go up.”

New regulations such as the GDPR and the pending California Consumer Privacy Act have influenced 54 percent of respondents to invest in new security technology, according to the survey. Data privacy regulations have also led to 52 percent of organizations to invest in employee training and 44 percent have restricted the use of of external data sharing tools. Meanwhile, only 8 percent said new regulations haven't changed their organization's data sharing habits.