eChannelLine, Canada
08-02-06
Companies can't block sensitive data sent by employees: survey
3 August, 2006
By Mark Cox
A new study has found that the vast majority of companies can monitor, but not block, sensitive content flowing out of the network by e-mail, instant messaging,
Web mail, or other applications that communicate outside the network.
The new study surveyed 171 organizations in the government, university and commercial sectors concerning internal threats to their customers' sensitive data as well as their own proprietary information. The purpose of the survey, one of the first of its kind to address all network communication risks employees or trusted insiders could pose within an organization, was to determine how significant internal threats such as employees and trusted insiders are to sensitive data an organization is storing, sending and/or accessing. Furthermore, the survey went on to determine what, if any, technology the organizations were using to not only monitor all outbound network communication, but block any communication that contains sensitive data. The survey discovered that none of organizations surveyed are utilizing any technology to block network communications that contain sensitive data.
Of the participants, 12.3 per cent were from companies with one to 100 users,
14.6 per cent between 501 and 1000, 46 per cent between 1,001 and 5,000 and
22.8 per cent above 10,000.
The study found that 78 per cent of the organizations surveyed store, send, or access consumers' personally identifiable information or proprietary data. 84 per cent of the organizations surveyed were required by law or industry regulations to protect client records and information.
Of the total of organizations that stored, send, or access private information, 83 per cent store, send, or access addresses and phone numbers, 67 per cent store, send, or access Social Security Numbers, 36 per cent store, send, or access bank account information, and 30 per cent store, send, or access credit card numbers
A substantial majority (76 per cent) of network security professionals questioned by the survey felt that internal threats posed an equal or a greater danger to their organization compared to external threats. Lately, many security and liability issues have been reported in the news concerning employees who accidentally misused sensitive data such as social security numbers, bank account information, credit card numbers, intellectual property, etc.

The study also found that the solutions being employed were not adequate to the task of monitoring and stopping the leak of sensitive data by all the protocols and applications that can be used by an employee to share data outside the network.
Only 64 per cent of the organizations surveyed have some type of tool to monitor communications for data leaks. Only 30 per cent indicated they monitor content flowing out of their network by e-mail. Only 16 per cent indicated they monitor content flowing out of their network by instant messaging. Only 13 per cent indicated they monitor content flowing out of their network by Web mail.
While the survey was conducted by a professor at Iowa State University , it was funded by Palisade Systems Inc., which makes enterprise content security and data protection solutions. The company maintains that only when organizations begin deploying content monitoring and filtering (a.k.a. data loss prevention) products, which are only produced by a handful of vendors (including them), will organizations be able to finally suppress sensitive data from being leaked out via all network communication protocols, including email. They say that until organizations make the investment in new content monitoring and filtering technology, we will continue to hear more news stories about consumers' sensitive data and organizations' proprietary data (i.e. theft of Coca-Cola's secret recipe by employees) falling into the wrong hands.