Employee negligence revealed as the leading cause of data loss for businesses

LONDON, 18 May 2022 –  60 per cent of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months, according to new research from the Ponemon Institute, and sponsored by Tessian. Email was revealed as the riskiest channel for data loss in organisations, as stated by 65 per cent of IT security practitioners. This was closely followed by cloud file-sharing services (62 per cent) and instant messaging platforms (57 per cent).

The Ponemon Institute surveyed 614 IT security practitioners across the globe to also reveal that:

  • Employee negligence was the leading cause of data loss incidents (40 per cent), in the last 12 months
  • Over a quarter (27 per cent) of data loss incidents are caused by malicious insiders
  • It takes up to three days for security and risk management teams to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email
  • Almost one in four (23 per cent) organisations experience up to 30 security incidents involving employees’ use of email every month

Furthermore, the majority of respondents (54 per cent) said that the primary barrier to securing sensitive company data is the lack of visibility of sensitive data that is transferred from the network to personal email. Fifty-two percent of respondents say it is the inability to detect anomalous employee data handling behaviours and the inability to identify legitimate data loss incidents.

Due to this lack of visibility, it can take IT security teams almost three days (72 hours) to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email and up to two days (48 hours) to detect and remediate an incident caused by employees.

The report also found that the majority of organisations (73 per cent) are concerned that employees do not understand the sensitivity or confidentiality of data they share through email. Despite these findings, nearly half of IT security leaders surveyed (46 per cent) say their programs properly address the sensitivity and confidentiality of the data that employees can access on email.

Josh Yavor, Chief Information Security Officer for Tessian, commented:

“Most security awareness training programs focus on inbound threats, yet fail to adequately address the handling of sensitive data internally. But data loss – whether accidental or intentional – is a major threat and should be treated as a top priority.

“To create awareness and mitigate data loss incidents, organisations need to be proactive in delivering effective data loss prevention training while also gaining greater visibility into how employees handle company data. Security awareness training that directly addresses common types of data loss – including what’s okay to share with personal accounts and what’s not okay to take with you when you leave a company – and a culture that builds trust and confidence among employees will improve security behaviours and limit the amount of data that flows out of the organisation.”

Larry Ponemon, chairman and founder of Ponemon Institute, said:

This study showcases the severity of data loss on email and the implications it has for modern enterprises. Our findings prove the lack of visibility organisations have into sensitive data, how risky employee behaviour can be on email and why enterprises should view data loss prevention as a top business priority.”

Recommended For You

About the Author: Michael O'Sullivan