Research by security outfit Egress said 79 percent of organisations share PII / sensitive business data internally without encryption and 64 percent of organisations share PII / sensitive business data externally without encryption.
Respondents named the five most common technologies that have led to accidental data breaches by employees:
• External email services (Gmail, Yahoo etc.) (51 percent)
• Corporate email (46 percent)
• File sharing services (FTP sites, etc.) (40 percent
• Collaboration Tools (Slack, Dropbox, etc.) (38 percent)
• SMS / Messaging Apps (G-Chat, WhatsApp, etc.) (35 percent)
According to Egress, some of the most common email accidents that lead to data breaches include:
• Accidental sharing / wrong email address (The Outlook Auto-Insert problem)
• Email forwarding of sensitive data
• Sharing attachments with hidden content
• Forwarding data to personal email accounts
The survey found that a large majority of organisations fail to encrypt data before it's shared – both internally and externally. This compounds the accidental breach problem, ensuring that any mistake by an employee will result in data being exposed. As a result, organisations are at risk of non-compliance with major data privacy regulations, such as GDPR, the NYDFS Cybersecurity Regulation (23 NYCRR 500), and the recently-passed California Consumer Privacy Act. According to the survey:
• 79 percent of organisations share PII / sensitive business data internally without encryption
• 64 percent of organisations share PII / sensitive business data externally without encryption
Despite the failure to encrypt, data privacy regulations are driving changes in organisational approaches to security. When asked how new data regulations changed how information was shared, respondents stated they:
• Implemented new security policies (59 percent)
• Invested in new security technologies (54 percent)
• Invested in regular employee training (52 percent)
• Restricted the use of external data sharing tools (44 percent)
Following the devastating and high-profile damage caused by ransomware attacks such as WannaCry and NotPetya, security professionals believe that malware and ransomware remain the biggest risk to their organisation.
When asked what the most significant overall risks to IT was in the coming year, respondents indicated the following:
• Malware and ransomware (48 percent)
• External attacks from cybercriminals (45 percent)
• Accidental data breaches by employees (40 percent)
Egress Chief Revenue Officer and NA General Manager Mark Bower said: “The explosive growth of unstructured data in email, messaging apps and collaboration platforms have made it easier than ever for employees to share data beyond traditional security protections. Combine this with the growing cultural need to share everything immediately, and organisations are facing the perfect storm for an accidental breach,” said. “What stands out in the survey though, is that despite onerous regulations being enacted, companies are still failing to encrypt data before enabling employees to share it. Encryption is a well-known best practice that can prevent accidents from leading to a major incident resulting in hefty compliance penalties.”
It is worth pointing out that Egress has new products out, which claims to fix all that -- Egress Risk-based Protection and Egress Smart Authentication but the numbers still add up.