44% percent of executives believe employees have erroneously exposed personally identifiable information (PII) or business-sensitive information using their company email account.
Accidental internal breaches are growing
The Egress survey of 500 IT security decision makers in the U.S. also revealed that accidental internal breaches are a growing security risk for organizations. Over 70% of respondents recorded experiencing this type of breach during the last five years, with half of these incidents occurring in the previous 12 months.
IT security decision makers also ranked accidental employee breaches as one of their top three concerns (46%), just behind external hacks (55%) and malware (53%).
Yet, surprisingly, despite this increasing threat and more stringent compliance regulations coming into effect, like the pending California Consumer Protection Act (CCPA), less than half (39.6%) of organizations are educating staff on how to improve security when sharing data.
“We’re only human and people are always going to make mistakes. But as the workforce has become more reliant on digital communication, and is increasingly remote and flexible, it has also become more difficult for traditional network perimeter security technologies to protect data,” said Tony Pepper, CEO, Egress.
“In fact, people are now the new security perimeter in most organizations, and as a result, businesses need to evolve the way they protect themselves. This research highlights the growing imperative to detect abnormal human behavior – including accidental data leaks – to stop breaches before they occur.”
Email presents the biggest risk for organizations
The survey results showed that both corporate and personal email are the leading applications for accidental data leaks. Other at-risk applications include: file sharing services (39%), collaboration tools (34%), and SMS instant messaging (33%).
These applications have remained an ongoing issue for organizations throughout 2019. Comparatively, external email increased in risk from 50% to 54% over the last year, while other applications maintained the same level of risk, based on a previous survey.
Despite awareness of these risks within the organization, one in four respondents (26%) stated that employees share sensitive data outside of the organization without encryption, increasing the likelihood of a potential breach. Additionally, internal data sharing has become a worrying blind spot, with 65% of respondents revealing that their organization does not use encryption for this.
CCPA compliance is a top concern for organizations
According to IT decision makers, 93% of organizations have taken steps to comply with regulations like GDPR and the pending CCPA. These steps include improved use of existing security technologies (58.8%), improved data handling practices (55.8%), investment in new security technologies (55.2%), staff education (39.6%), and hiring new security personnel (29.2%).
One of the pivotal components of CCPA compliance is the ability to complete Data Subject Access Requests (DSARs) within 45 days, which can include information shared via email and stored on network drives, as well as that contained within databases.
Highlighting their general focus towards CCPA, respondents were confident in their ability to comply with these requests, with 72% thinking their organization could accurately fulfill a DSAR within 45 days. However, timing is still a concern for 23% of respondents, who believe they would require longer than the 45-day limit.
“It’s encouraging to see organizations taking proactive steps to enhance their compliance with data privacy regulations like GDPR and CCPA,” said Pepper.
“We hope these measures will curb the number of internal data breaches this survey uncovered – but in reality, and certainly for the immediate future, we will probably continue to see organizations struggling to mitigate people’s unpredictable behavior using traditional static technologies.
“Instead, IT security decision makers are advised to examine emerging solutions based on contextual machine learning that dynamically react to potential breaches in real time as employees share data.”