The Dangers of Outbound Content

By Michael Osterman
in

We recently completed a major survey for Proofpoint focused on the current state of data loss arising from inappropriate or accidental use of email, social media tools and the like.  Here’s a summary of what we found:

  • Nearly three out of five organizations reported that IT budget cutbacks or other constraints have made it more difficult for them to protect sensitive information from being leaked through email and other venues.  When we did the survey last year, that figure was 50%.
  • One in five organizations has fired an employee for their violation of email policies during the past year, while one-half of organizations have disciplined at least one employee for violating these policies.
  • During the past year, one in five organizations has investigated the leakage of sensitive or confidential information via a social media site like Twitter or Facebook and the same proportion have disciplined one or more employees for violating corporate social media policies.
  • Slightly more than one-half of organizations are very concerned about losing sensitive or confidential information via Twitter or similar tools—this figure has increased from 41% when we did the survey last year.

Although we conducted the survey with enterprises (1,000 or more employees), the lessons here are applicable to virtually any size of organization. As I see it, there are three key takeaways from this research:

  • Establish detailed and thorough use policies for every medium, tool, venue, etc. from which sensitive or confidential might be leaked. This includes email, of course, but also Twitter, Facebook, LinkedIn, Webmail, blogs, wikis, etc. Organizations that don’t have these types of policies run the risk of increased data loss and a less defensible position when disciplining employees for doing something they shouldn’t.
  • Monitor and manage communication tools. This means implementing the tools and technologies that will allow compliance officers, IT staff or others to see what’s leaving the organization; the ability to turn off some capabilities that may not have business value for some employees (e.g., file-sharing via instant messaging clients); and the ability to check for sensitive or confidential information before it passes the firewall.
  • Deploy robust encryption capabilities that will permit sensitive data to be sent securely.  Most email and other content is not encrypted, even when it contains confidential information or other content that should be encrypted.

You can access a copy of the research here.

Published September 8, 2010