Nearly one-third of organizations with more than 1,000 employees were affected by data loss events in the past 12 months, according to a study recently released by cloud-focused security firm Proofpoint.

"Data loss and data exposure events are far from rare," said Keith Crosley, director of market development at Proofpoint. "Around a third of organizations suffered a data loss event in all of these categories."

Those categories include: exposure of sensitive or embarrassing information, improper exposure or theft of customer information, improper exposure or theft of intellectual property, and exposure of confidential information through subpoenas of employee e-mail and other electronic content.


"To be honest with you, I think it's probably worse than what the data is showing," said Michael Osterman, analyst and principal for Osterman Research, which fielded the survey on Proofpoint's behalf. "Data loss is, at a minimum, an embarrassing thing for a company. At a maximum, it's actually actionable. A lot of organizations, a lot of decision-makers are fairly reluctant to really advertise this. One of the advantages of doing a survey like this is that the information is anonymized. Nobody can actually go back on somebody and say 'Hey, you lost data,' but it's still not something you want to advertise heavily."

Crosley added, "The frequency of data loss that we found in the past 12 months is really not significantly different from in previous years. These numbers have remained fairly constant. So even though we are seeing advances in terms of policy and technology adoption, data loss events still continue at what I would call a fairly alarming rate. For every high-profile data exposure that you hear about in the media, that's really just the tip of the iceberg."

The results of the survey were published in Proofpoint's Outbound Email and Data Loss Prevention in Today's Enterprise, 2010 report. The survey represents its seventh annual study of outbound email and data loss prevention issues. Osterman Research received 261 valid responses to its survey, of which 190 responses were from decision-makers at companies with 1,000 to 5,000 employees, 45 responses were from decision-makers at companies with 5,001 to 20,000 employees and 26 responses were from decision-makers at companies with more than 20,000 employees.

"In general, the level of concern about data loss is up," Crosley said.

Knowing is only half the battle

Despite the increased awareness, 36 percent of respondents said their organizations were affected by the exposure of sensitive or embarrassing information in the past 12 months, 31 percent said they'd been affected by improper exposure or theft of customer information in the past 12 months and 29 percent said they'd been affected by improper exposure or theft of intellectual property in the same period.

Crosley explained that it is not so strange that data loss incidents appear to be increasing as awareness grows.

"If you're not actually looking for data loss events across the channel, you're not going to see them," he said. He added that historically, as Proofpoint has added questions about new exposure channels, like Facebook or Twitter, the percentage of respondents reporting data loss events through those channels began in the single digits and grew rapidly from there as companies became aware of those channels and started watching them.

"Data loss can happen in 140 characters or less," Crosley said, referring to SMS and Twitter.

Fear of lost devices

Crosley noted that IT professionals are most concerned about data loss resulting from the physical loss of laptops, smart phones and other mobile devices that contain sensitive information. The survey found that 64 percent of decision-makers were highly concerned about such a loss. The survey also found that 56 percent of respondents were highly concerned about data loss via e-mail sent from a mobile device.

In addition, 22 percent of organizations investigated the exposure of confidential, sensitive or private information via lost or stolen mobile devices or storage media in the past 12 months.

"While organizations are most concerned about the losses of mobile devices, that is not the area where most data breaches occur," Crosley said.

It is e-mail that remains the number one threat. Proofpoint found that 35 percent of companies investigated the exposure of confidential or proprietary information via e-mail in the past 12 months; 32 percent investigated a suspected violation of privacy or data protection regulations related to e-mail; 20 percent terminated an employee for violating e-mail policies; and 50 percent disciplined an employee for such violations.

Many respondents—37 percent—said they employ staff to manually read or otherwise analyze the content of outbound e-mail, and 48 percent said they perform regular audits of outbound e-mail content.

"These numbers have stayed relatively flat over the past few years," Crosley said about the manual monitoring of e-mail. "I basically think that these techniques are essentially permanent and won't change regardless of how much technology adoption there is."

Meanwhile, enterprise concerns about data loss events related to social media continued to rise over the past 12 months. Proofpoint found that 53 percent of respondents were highly concerned about the risk of data leaks through a social networking site, and 20 percent of companies investigated the exposure of confidential, sensitive or private information via a post to a social networking site. Seven percent of companies terminated an employee for social networking policy violations, and 20 percent disciplined an employee for violations.

"I think the social media aspect of this is particularly interesting," Osterman said. "I think we'll see much more of this in the future. I would suspect that these numbers are probably the lowest reported versus the reality. A lot of organizations don't have good insight into what's going on with social media."

For many organizations, the answer appears to be to prohibit the use of social media that could represent a data loss threat. Fifty-three percent of respondents reported that they prohibited employee use of Facebook and 31 percent reported the same with regard to LinkedIn. Such prohibitions extend into other channels, as well: 63 percent prohibit the use of peer-to-peer file-sharing sites; 53 percent of respondents said they explicitly prohibit the use of media-sharing sites, like YouTube; 49 percent prohibit the use of Twitter; 40 percent prohibit the use of personal Web mail; 39 percent prohibit the use of the Web; and 38 percent prohibit personal use of corporate e-mail on company time.

"I can understand why organizations do this—why IT organizations want to block use or why business decision-makers want to do it," Osterman said. "The problem is that, one, it's usually not all that effective. If you have a policy or you attempt to block certain ports, you'll block some of the traffic, certainly not all of it. Despite the best intentions, a lot of this stuff is still going to go on despite the prohibition. Secondly, there's an enormous amount of business value you can get from Twitter or Facebook or any of the social networking tools, even P2P in some cases. If you just have a blanket prohibition on these tools, you're negating a lot of the business value you can derive from them. You really need to manage the way that these tools are used, not just say there will be no use."

Thor Olavsrud is a contributor to eSecurityPlanet.com and a former senior editor at InternetNews.com. He covers operating systems, standards, telecom and security, among other technologies.

Follow eSecurityPlanet on Twitter @eSecurityP.