Research Reveals Data Loss Still Major Threat Despite Increased Corporate Efforts

Focus on threat of outside attacks overlooks danger employee behavior.

by / February 5, 2007
While most American companies are investing in technology and policy to secure sensitive data from outside attacks, the threat of data loss at the hands of their own employees is what should have their attention. A study, conducted for McAfee by Illuminas, surveyed 300 office workers across the United States at companies with at least 200 employees. More than two-thirds of responses came from organizations with more than 1,000 employees.

The research suggests that most U.S. companies are establishing corporate policies to prevent data loss, with the overwhelming majority of respondents (84 percent) saying their company has a formal policy in place regarding the treatment of sensitive information. However, the research also reveals that many employees consistently disregard those policies. For example, 21 percent of all respondents admitted to leaving a confidential or sensitive document on a printer tray, and 22 percent said they sometimes lend to colleagues the portable devices on which they store work documents.

Key findings that demonstrate the danger American employees are posing to corporate security include:
  • Eighty-four percent of respondents said their organization has a policy regarding the treatment of sensitive information, with that group citing shredding (69 percent), locks (47 percent) and passwords (51 percent) among the ways to manage it.
  • More than a quarter (26 percent) of all respondents do not shred confidential or sensitive documents when they have finished with them
  • Twenty-one percent of all respondents admitted to leaving a confidential or sensitive document on a printer tray
  • Eighty-eight percent of respondents who said they transfer customer data outside the organization said they use e-mail to do the transfer
  • 23 percent of that group also said they use Web-based e-mail to transfer this data out of the workplace
  • While nearly four out of every 10 respondents (38 percent) take up to 10 documents out of the office each week on portable devices such as laptops (41 percent), USB memory sticks (22 percent) and CD-ROMs (13 percent)
  • More than one in every five respondents (22 percent) physically lend the portable devices on which they store work documents to colleagues
More than reputations at risk

According to the Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization, since February 2005 more than 100 million data records containing sensitive personal information of U.S. residents have been exposed due to security breaches. In addition to severely damaging a company's reputation, leaked customer or corporate data can result in legal action if the business violates regulations such as the Gramm-Leach-Bliley Act of 1999, California Senate Bill 1386, or the Health Insurance Portability and Accountability Act (HIPAA), which now force public notification of breaches of personally identifiable information. Senator Dianne Feinstein (D-Calif.) recently introduced the Notification of Risk to Personal Data Act, which would require businesses and government agencies to notify consumers under certain circumstances of data breaches.

Outside focus, inside threat

Threats to enterprise security have traditionally been viewed as originating outside the organization. Companies regularly spend thousands of dollars on technology products in an effort to stop intruders and malicious software from entering their corporate network.

However, while the majority of businesses scan their in-bound e-mail for unsolicited content, many fail to check their internal and outbound e-mail, essentially allowing the unauthorized transfer of data within or outside of the organization.

The growing use of portable devices by employees is also challenging the integrity and security of digital assets. Company laptops, USB sticks, mobile phones and MP3 devices make it easy to transport thousands documents at a time out of company parameters, but the vast majority of these devices go uncontrolled by IT departments.