Sophisticated phishing campaigns, socially engineered malware scams and a never-ending barrage of new mobile devices and applications continue to torment enterprise IT security administrators, but it turns out that some of the most commonly used and seemingly innocuous applications are responsible for a growing number of data breaches.

According to a new report from on-demand security software vendor Awareness Technologies, personal email services like Gmail, Hotmail and Yahoo Mail are increasingly responsible for the accidental or deliberate loss of customer and corporate data.

And because these ubiquitous services have been around so long, many employees and security administrators have become far too casual not only about what data they exchange but how well they secure these individual accounts.

"While corporate laptops and computers and the growing use of USB flash memory sticks remain the top reported data breach methods, it's employee use of webmail services such as Gmail, Hotmail and Yahoo! Mail that is emerging as the biggest underreported way in which confidential information gets into outside hands," Ron Penna, Awareness Technologies' chief strategy officer, said in the report.

After reviewing significant data breaches that occurred at more than 10,000 enterprise customer sites, Awareness Technologies’ security team found that employees are responsible for the majority of these mishaps. And, according to IT security research firm Ponemon Institute, these incidents cost millions to resolve and do even more damage to a company's reputation and brand.

Awareness Technologies found that most of the so-called "insider" breaches were a result of employees either being malicious, untrained or gullible enough to fall for a variety of socially engineered scams designed to gain access to their personal email accounts.

The proliferation of mobile devices, distributed workforces and companies' increasing reliance on cloud-based apps and services like email have created virtually unlimited opportunities for data thieves who recognize just how much sensitive data is exchanged through these accounts.

A cottage industry of do-it-yourself malware kits has emerged, making it even easier for would-be data thieves to snare personal information and logins from social networking sites like Facebook and Twitter and break into personal email accounts used for both personal and professional correspondence.

"While some companies do ban personal emails in the workplace, taking a proactive approach that makes decisions based on the content of the communications instead of simple block/allow lists is infinitely more effective for preventing data breaches," Penna said.

Installing a data loss prevention (DLP) application that establishes and enforces policies to prevent certain corporate data from being sent or shared via a personal email account is just the start, Penna said.

"The better DLP options for businesses rely not on which channel is being used but rather instead take a data-centric approach to identifying breaches," he said.

"Whether malicious or accidental, data breaches are devastating to a company's bottom line and its customer relationships and the right policies, training and technology can dramatically reduce an organization's risk to careless insiders."

Larry Barrett is a senior editor at, the news service of, the network for technology professionals.

Follow eSecurityPlanet on Twitter.