The most critical aspect of the data loss problem is its human causes, according to a cyber firm that has released a ‘2024 Data Loss Landscape‘ report.
Ryan Kalember, chief strategy officer at Proofpoint, said: “Careless, compromised, and malicious users are and will continue to be responsible for the vast majority of incidents, all while GenAI tools are absorbing common tasks—and gaining access to confidential data in the process. Organisations need to rethink their DLP strategies to address the underlying cause of data-loss—people’s actions—so they can detect, investigate, and respond to threats across all channels their employees are using including cloud, endpoint, email, and web.”
The report examines third-party survey responses from 600 security people at organisations with 1,000 or more employees across 17 industries from 12 countries including the UK. Findings:
– Data loss is widespread yet preventable: organisations experienced an average of 16 data loss incidents per UK organisation in the past year, and 82pc of respondents said the main cause was careless users. Carelessness includes misdirecting emails, visiting phishing sites, installing unauthorised software, and emailing sensitive data to a personal account. These all preventable behaviours that could be mitigated with practices such as implementing data loss prevention policy rules for email, web uploads, cloud file synching, and other common data exfiltration methods.
– Misdirected email is one of the simplest and most significant sources of data loss: According to 2023 data from Tessian, about one-third of employees sent one or two emails to the wrong recipient. That means a business of 5,000 employees can expect to deal with around 3,400 misdirected emails per year. A misdirected email containing employee, customer or patient data can potentially trigger a significant fine under GDPR and other legal frameworks.
– Generative AI is the fastest growing area of concern: artificial intelligence tools such as ChatGPT, Grammarly, Bing Chat and Google Gemini are increasing in power and utility, and more users are inputting sensitive data into these applications. “Browsing gen AI sites” has become one of the top five DLP and insider threat alert rules configured by organisations using Proofpoint’s Information Protection platform.
– Consequences of malicious actions can be costly: 21pc of UK respondents said malicious insiders such as employees or contractors were behind data loss incidents. Malicious actions and departing employees who seek to harm the organisation can have even greater implications than careless insiders because these individuals are motivated by personal gains.
– Departing employees were identified as the third riskiest user category (34pc): departing employees do not always think they are acting maliciously—some simply feel entitled to leave with information they have produced. Proofpoint data suggests that 87pc of anomalous file exfiltration among cloud tenants over a nine-month period was caused by departing employees, underscoring the need for preventative strategies such as implementing a security review process for this user category.
– Privileged users are the riskiest: Two-thirds (66pc) of UK respondents identified employees with access to sensitive data, such as HR and finance professionals, as representing the greatest risk of data loss. Additionally, Proofpoint data shows that 1pc of users are responsible for 88pc of data loss events. These findings indicate that organisations must prioritise best practices such as using data classification to identify and protect business-critical data and the “crown jewels,” as well as monitoring people with access to sensitive data or admin privileges.
– Organisations’ data loss prevention (DLP) is maturing: many DLP programmes in the UK are initially made in response to legal regulations, with more than half (56pc) of survey participants citing meeting regulatory compliance standards as the primary driver. Protecting the company’s reputation and protection of customer and employee privacy came in second (both at 46pc). Besides such technical and policy work, cyber awareness training is equally crucial, said Carl Leonard, EMEA cybersecurity strategy, Proofpoint. He said: “It serves as a constant reminder to employees that their actions matter, and carelessness can have severe consequences, including reputational damage and financial losses.”
Visit: https://www.proofpoint.com/uk/resources/threat-reports/data-loss-landscape.
