A study conducted across 12 countries and 17 different industries shows that data loss is more due to negligence rather than human malice.
After people, the most precious asset to protect in business is data. However, while they invest in prevention and protection solutions, 85% of them report having suffered data loss during the year 2023.
A report, published by Proofpoint, a specialist in cybersecurity and data loss prevention solutions, indicates that more than 9 in 10 organizations have faced business interruption and loss of revenue (more than 50% of organizations affected), or damage to reputation (40%). The consequences are unfortunate for these companies, especially when we learn that only 1% of users are responsible for 88% of data loss.
Even more surprising, the causes of these losses, attributed to humans, are more due to negligence than a real desire to harm society, as declared Ryan Kalember, director of strategy at Proofpoint.
“ Careless, compromised, and malicious users are and will continue to be responsible for the vast majority of incidents, while GenAI’s tools absorb routine tasks and thus gain access to confidential data. » Companies will therefore have to take this new entity into account in their actions to prevent data loss.
Negligence or malice, data loss is expensive
The consequences of malicious actions can be costly. The recent France Travail cyberattack, which exposed the data of more than 40 million users, taught us this. But they remain avoidable. 20% of respondents said malicious collaborators, such as employees or contractors, caused data loss incidents. Malicious actions and employee departures who seek to harm the organization can have even greater consequences than negligent employees, because these individuals are motivated by greed.
Employees who leave the company don’t always think they are acting maliciously. For example, some people simply feel entitled to leave with the information they have produced, such as an address book, mail exchanges, shared documents, etc. Proofpoint data shows that 87% of abnormal file exfiltrations among enterprise cloud subscribers over a 9-month period were caused by departing employees, highlighting the need for companies to adopt strategies preventative measures such as implementing a security review process for this category of terminated or resigned users.
Compliance with the GDPR and legal rules at the heart of the data loss prevention strategy
Data loss is a widespread but preventable problem. Organizations experienced the equivalent of more than one incident per month (an average of 15 data loss incidents per organization in the past year), and 71% of respondents said the primary cause was negligence of users. This negligence includes hijacking emails, visiting phishing sites, installing unauthorized software and sending sensitive data, such as French health data hosted by the American Microsoft, by email to a personal account .
These are avoidable behaviors that could be mitigated by practices such as implementing DLP (data loss prevention) policy rules for email, web uploads, file synchronization in the cloud and other common data exfiltration methods.
According to data from Tessian (a subsidiary of Proofpoint) for 2023, for example, around a third of employees sent one or two emails to the wrong recipient. This means that a company with 5,000 employees can expect to deal with approximately 3,400 misdirected emails per year. A misdirected email containing employee, customer or patient data can potentially result in a significant fine under GDPR and other legal frameworks.
Sources: Help Net Security, Proofpoint
2