Meet us at RSA 2024

Polymer

Download free DLP for AI whitepaper

Why is email still the biggest source of sensitive data leaks?

Jan 10, 2022
Diligence Insider Threat Training
email data email security

Summary

  • Traditional employee training and email protection solutions won’t protect you from a data breach
  • Legacy DLP solutions can hamper employee productivity and lack the contextual awareness to be fit for purpose in today’s environment
  • Training away days are often cumbersome expenses that lead to no real change
  • Employees need to innovate their approach to data protection–with a focus on cloud-based DLP

Buckle up… It’s time for some hard truths about your company’s security. You might think that you’re doing every right. You train your employees, use anti-virus and anti-malware technologies, and have an email filter solution in place.

Unfortunately, that isn’t enough to protect yourself from today’s breaches–and it’s definitely not enough to meet compliance standards like HIPAA, the GDPR and CCPA.

You need to account for the human factor

Verizon’s 2021 DBIR report found that 85% of data breaches can be traced back to human error. Another report from Forrester follows a similar trail of thought: 61% of security leaders believe their next data breach will result from human error.

These breaches have several causes, such as:

Below, we’ll explore why traditional training and email security solutions don’t quite cut it in today’s landscape. And what you should do instead…

Why old-school training doesn’t work

In the last few years, 83% of businesses experienced phishing attacks. As we mentioned in the intro, you might think that, by training your employees, you are helping to reduce the likelihood of a successful phishing scam. This is technically true–but it depends entirely on the type of training you provide.

Too often, companies treat employee training like a tick-box compliance exercise. The training is often generic and, well, dull. It’s not contextualized to the business at all. Moreover, these lessons usually take the form of lengthy, school-style away days. Your employees feel like they’ve gone back to school, and it’s unlikely they’ll retain the information given for long. There’s simply too much to process in a short amount of time.

Moreover, your employees could end up resenting this form of training. Over the last year, 70% of employees globally reported higher stress levels, and more than half reported elevated anxiety levels, according to Microsoft. 

Chances are, your people are under pressure and have deadlines to meet. An away day for security training takes valuable time away from your employees. We also need to remember that the cybersecurity landscape moves fast. Training that’s fit for purpose today won’t necessarily protect your company–or your employees–from the threats of tomorrow.

According to Proofpoint’s 2021 State of the Phish report, 65% of US organizations experienced a successful phishing attack last year. This is a case in point. If training were working, phishing attack success wouldn’t be so high.

Infographic with stats, highlighting the pervasive nature of data loss in the enterprise.

 

The dangers of legacy email security 

We already know that traditional email solutions don’t protect against more advanced phishing attacks–but they let organizations down from a DLP perspective too. Traditional email DLP tools work by scanning an email’s text and attachments for policy keywords. If they see a keyword, they will trigger an action based on who the email is being sent to, such as redaction or blocking the email.

There’s a couple of problems with this. Firstly, the state of play in organizations is changing every day. These DLP solutions rely on IT staff to manually update policies in order to be effective. It’s no secret that today’s IT teams are often overwhelmed and understaffed, meaning it’s easy for policy updates to fall down the priority ladder.

Moreover, legacy DLP solutions aren’t contextually-aware. They follow the policies that are put in place to the letter. This can often lead to employees feeling frustrated by security as it can prohibit them from doing their jobs. Recent research even shows that 58% of employees think some security tools are detrimental to productivity. This leads us to the biggest problem of all: shadow IT.

If security gets in the way of efficiency, employees will simply find workarounds. They might use their own devices, cloud tools (more on that below), or even personal email addresses to send data–and your traditional DLP solution won’t pick it up!

And don’t forget…collaboration tools!

Traditional DLP solutions were designed in the 90s–before the cloud even exited. These solutions aren’t fit for purpose anymore. No organization just uses email to collaborate and communicate. Most use a mixture of Teams, Slack, Google Drive, DropBox, Zoom, Trello…The list goes on.

As a result, organizations create and share more unstructured data than ever. By 2024, it’s estimated that 80% of organizations’ data will be unstructured. Most of this data will be in the cloud – scattered across different applications and platforms. To prevent a data breach and meet compliance objectives, organizations need to get a handle on it.

You might be tempted to reduce your company’s use of these collaboration tools–but that’s not the way forward. In the hybrid world, collaboration tools facilitate the instantaneous communication that employees need to be productive. However, these tools are a security risk. One study found that 25% of employees share confidential company data on these channels.

Without the right tools in place, it’s impossible for IT personnel to know what data is being shared in the cloud, who with and when. They need better visibility and control over company data in the cloud.

Here’s what you need instead 

This is where cloud DLP comes into its own. At its core, cloud DLP is similar to email DLP– except its designed for the modern workplace. This is because it is data-centric. Rather than focusing on securing an endpoint or the corporate network, it focuses on safeguarding data wherever it goes.

Cloud DLP works by monitoring, classifying and protecting sensitive data across your cloud applications and collaboration tools. Through pre-defined policies, these solutions prevent data loss in real-time through automatic actions like redaction, encryption and deletion.

Moreover, the best-in-breed of these solutions are self-learning. They use AI to pick up on patterns about user behavior and sensitive data and evolve their policies in line with their analysis. This takes the burden of IT teams to re-define and set new data policies constantly.

As an extra edge, some cloud DLP solutions even feature in-built training modules. These are a form of on-the-go eLearning that encourage users to make security-conscious choices as they go about their workday. Nudge training tools can be integrated into the daily workflow, appearing like a prompt or reminder.

Conclusion

Ultimately, in the age of the cloud, you need to make sure your approach to both training and data protection are in line with the times. Scanning emails for sensitive data isn’t enough and you should also make lengthy training away days a thing of the past. 

By being proactive about securing data in the cloud, and making employee training more engaging, you can improve efficiency, boost employee productivity, save costs and, most importantly, reduce the likelihood of a devastating data breach. 

If you are looking for a DLP solution, check out our DLP for SaaS buyers’ guide.

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.

SHARE

Get Polymer blog posts delivered to your inbox.