Bound by regulatory requirements and spooked by a wave of data
theft, companies are increasingly finding it necessary to
monitor employees' business email and Internet activities to
ensure nobody's leaking sensitive company data. But employees may
not realize some of their colleagues may have been hired
specifically to keep an eye on them.
According to a survey of 300 IT decision makers by Cupertino,
Calif.-based email security firm Proofpoint, Inc. and Atlanta,
Ga.-based Forrester Consulting, some companies are hiring staff
specifically for this task.
Regulatory requirements that dictate how information should be
disseminated are essentially what's driving the enterprises that
monitor employees' activities, said Keith Crosley, director of
market development for Proofpoint. But that motivation has shifted
in response to
mounting headlines about data security breaches in the last 18
months.
"While companies are still motivated by regulation, they are
also motivated by the need to catch thieves," Crosley said.
"Retailers have suffered recent hacks, so they are getting more
interested in keeping customer data under control."
DeKalb Medical Center in Atlanta hasn't hired staff to read
outgoing emails, but Sharon Finney, the center's information
security administrator, said her organization does worry that
sensitive data may leak out by email.
"As a hospital that's becoming all digital, the more information
we make electronic, the more possible it is for information to
escape by email," Finney said. "There are people out there who want
to take advantage of others for their health benefits and employees
can easily copy and paste sensitive data from an application to an
email."
No significant breaches have occurred at the hospital, and
smaller infractions have taken place at the hands of employees who
simply needed more education, she said. But there's always the
concern about something serious happening, and that concern was
reflected in the survey results. Crosley said the survey found 71%
of respondents to be "very concerned" about protecting ID and
privacy information in outbound emails.
Other highlights from the survey, which was conducted during a
two-and-a-half-week period in May, include:
- Nearly half of respondents from companies with at least 20,000
employees said they hire staff to read and analyze outgoing email,
compared to 38% of respondents from companies with 1,000 or more
employees.
- More than one in three of those polled said they've had to
investigate a suspected email leak of sensitive information, and
36.4% have investigated a suspected violation of data security
rules in the past year.
- Nearly 1 in 3 companies terminated an employee for violating
email policies in the past 12 months, while more than half have
disciplined an employee for violating email policies in the past
year.
- Respondents estimated that more than one in five outgoing
emails has contained content that poses a legal, financial or
regulatory risk. The most common form of non-compliant content is a
message containing confidential or proprietary business
information.
- More than a third of respondents said their companies were
negatively affected by the exposure of sensitive or embarrassing
information in the last year.
- More than one in five were negatively affected by improper
exposure or theft of customer information, while 15% were
negatively affected by improper exposure or theft of intellectual
property.
- 25.2% were ordered by a court or regulatory body to produce
employee email in the last year.
- 18% investigated the exposure of confidential, sensitive or
private information by a third-party vendor or outsourcing firm
with whom they share such data.
Meanwhile, blogs and message boards are becoming greater sources of
risk for those surveyed. Nearly one in five companies has
disciplined an employee for violating blog or message board
policies in the past year, while 7.1% of companies fired an
employee for such infractions and 10% investigated the exposure of
financial information via a blog or message board posting in the
past year.
Crosley said some customers have come to Proofpoint specifically
because they concluded technology could track outbound email
content more efficiently than humans.
"Using staff to handle content security opens up all these
employee privacy issues," he said. "It's better to put technology
in place that can be programmed to check for compliance violations
and such than to have human beings randomly checking emails."
Finney agreed. "We have more than 200,000 messages going out a
month. It's impossible for a single person or multiple people to
scan that much email," she said. The organization also doesn't want
there to be any questions as to whether some people are being
monitored more than others. That too is where technology is the
answer.
"From a privacy perspective, having a tool do it excludes the
human subjectivity and gives you objective data," said Finney, a
Proofpoint customer. "The tool doesn't look at who the email is
from. It just says, 'Here's a potential risk.'"