While security professionals constantly fear the big bad hacker breaking into their enterprise and wreaking havoc, the biggest threat to security is sitting inside the company and drawing a paycheck.
Cloud and e-mail security specialist Proofpoint notes in its seventh annual study of data loss prevention (DLP) issues that e-mail is the largest source of data compromise, making up 35 percent of all data loss issues.
Employee misuse of work-issued mobile devices and popular social media services like Facebook, LinkedIn, Twitter, video sharing sites, forums and blogs are also resulting in more data loss issues, and are forcing disciplinary actions, including termination.
Proofpoint surveyed 261 e-mail and messaging decision makers at large U.S. enterprises (more than 1000 employees) and asked about the frequency of data loss events in the past 12 months as well as their concerns, priorities and policies related to e-mail, the Web, social media and other sources of data loss risk.
The results can't be encouraging. Even with all the products on the market around DLP, companies like Proofpoint offering loss prevention services and company security policies, Data is still being lost at a high rate. Thirty-six percent of respondents said their organization had suffered a disclosure of sensitive or embarrassing information in the past 12 months.
"These kinds of internal issues are at least as important if not more so than the threat of breaches from outside sources," said Keith Crosley, director of market development at Proofpoint. "It shows companies do lose a lot of data. It's very hard to control these channels, and for every large scale reported breach, that's the tip of the iceberg in terms of data breaches. There are many smaller ones that happen for every one you reported."
Thirty-one percent of respondents said their organization was impacted by the improper exposure or theft of customer information in the past 12 months, while 29 percent said their organization was impacted by the improper exposure or theft of intellectual property in the past 12 months.
The real problem is how this stuff gets out. Twenty percent of companies said they had investigated the exposure of confidential, sensitive or private information via a post to a social networking site like Facebook.
In addition, 25 percent of companies investigated a data leak on a blog or message board posting and 17 percent of companies investigated the exposure of confidential, sensitive or private information via Twitter, texting and other instant messaging services.
All told, 53 percent of companies surveyed are highly concerned about the risk of information leakage via social networking sites, and an equal percentage have been forced to explicitly prohibit the use of Facebook, while 31 percent explicitly prohibit use of LinkedIn while at work.
"There's not a lot of high-level training for employees on what company policies are and what actions they should take to protect the data. Well under half provide any training on that," said Crosley. "Ninety percent of companies say they have a formal written policy for acceptable use, but just because it's in a handbook that doesn't mean employees understand what they need to do."
The complete report, entitled "Outbound Email and Data Loss Prevention in Today's Enterprise, 2010," is available online , registration required.