Five Thoughts about Proofpoint’s 2010 Outbound Data Survey
Proofpoint’s 2010 survey once again provides great insights into the trends and initiatives that are top-of-mind for enterprise InfoSec decision makers. This write-up is not intended to be a thorough discussion of all the data included. Instead I have included some of the details that jumped out at me from this year’s report. You can view the entire report here: http://www.proofpoint.com/id/outbound0810/index.php
The report begins with a question about what level of concern organizations have with various types of data breaches. The results pretty uniformly point to the simple fact: People are scared of being breached. The majority of respondents indicated they are “concerned” or “very concerned” about every type of breach. Regardless of the size of company, enterprises worry about data loss. This fact tells me organizations either (1) know they are vulnerable to data loss, or (2) don’t have the tools available to know if they are. Either way, these organizations do not have confidence that they control their own electronic information.
The organizations included in this survey estimate that 20% of outgoing emails contain risky data. 20 percent! They believe 1 out of every 5 emails contains information that may pose a risk to the organization. Considering the hundreds of thousands of emails that must be leaving these organizations each month, the amount of damaging data would be staggering. If this were true it would seem that investigating data loss through email would be an unending battle. Yet according to a question later in the survey, only 35% of organizations investigated suspected leaks via email. These numbers reinforce the idea that those surveyed really don’t have a good handle on how much sensitive information is being emailed out, and their decision making is informed more by suspicion and fear than by facts.
Web filtering information: 53% of companies block Facebook. That number struck me as a bit low, as I think of most enterprises as being concerned about risks from social networking. But I was surprised ever further that only 38% of the largest (20k+ employees) organizations block Facebook. Further, across the board, the largest organizations are more permissive about what they allow access to on the internet.
Have the large organizations figured out something that the smaller ones have not? Or are they lagging behind? Access to social networking sites is a volatile issue with significant associated security risks as well as potential productivity gains as employees access more information and contacts. It seems like this split between the largest enterprises and smaller is telling us something about social networking in the enterprise, but I just can’t see it yet.
Enterprises are not providing consistent training to ensure employees know email security and web use policies. Considering the high levels of concern around data being leaked through email, I would expect to see email acceptable use included in training universally. Instead, only 55% of enterprises provide email security training. Web security and acceptable use is even worse, with only 31% of organizations requiring it.
Finally, 70% of organizations say it’s important or very important to reduce their exposure from data in outbound emails. 67% say the same about reducing exposure from outbound web traffic. These numbers clearly indicate that enterprises do not feel their data protection measures are sufficient to the current and future task of protecting the organization. They know the data is being included in emails, uploaded to websites and stored insecurely, but they just have not been able to fix the problem yet.
Organizations know their data is as risk, and that they must take action to protect that data. But restraints are preventing them from achieving security. Budgets, reduced headcounts, and insufficient experience/skill sets can all prevent organizations from implementing the tools and processes needed to secure their valuable data. The solution will be a combination of:
- increased enterprise resources being allocated to protect the organization from the risk of data loss, and
- smarter, lower cost, and lower maintenance tools that will automate processes to ensure that risky data stays in the organization where it belongs.
There’s lots more useful information in the full report. And I’m interested in reading what conclusions the rest of you come to from this report.
Connect with Robb on Google+