Your email is safer than you think it is.

Posted by in Analysis on Sep 1, 2010

So we all know that statistics are malleable, right?  Statistics are an interpretation of data, not data itself – they’re subjective.

So when I came across this article this morning citing how “email is still the top source of data loss“, I was curious.  It struck me as odd, because it doesn’t jive with what we’ve seen from other data outlets.  

Specifically, if you look at the public breach disclosure data, you see quite clearly that email isn’t anywhere even close to the top of the list – it’s not even close to the middle.  I repeated the calculation that these folks did back in 2007 on the most current data available – and email currently represents just over 1.5% of data breaches.

Which begs the question… if email is so underrepresented in actual breach disclosure data, why is it 35% on the ProofPoint leakage chart?  Hmm…  Now, it could be tempting to throw up our hands and say, “hey… it’s vendor data. Par for the course.”  But I’m not ready to go there.  Instead, I think there’s something going on.

I think that the ProofPoint survey (I’m assuming it’s a survey based on how the data is structure, but they never actually say how they derived the data) points out that the instrument that they are using to measure over-reports email as being vulnerable.  And in this case, that “instrument” is our own perception.

Search
  • http://www.proofpoint.com/outbound Keith Crosley

    Thanks for your comments on Proofpoint’s research. You can download a copy of the full report, which is based on a survey of 261 email technology/policy decision-makers in large US organizations (the report contains fairly comprehensive demographic data on the respondents in an appendix) at the following URL:

    http://www.proofpoint.com/outbound

    Osterman Research does the data collection for us using an online survey instrument.

    Agree with you that, if you look at published reports of data breaches (for example, reported HIPAA violations at the DHS site), email is identified as the source of the breach less freqently than, say, lost or stolen unencrypted devices.

    What Proofpoint’s survey looks at is primarily messaging channels (including email and various social media channels), but in recent years we’ve also been comparing that to lost/stolen mobile devices. And admittedly, we don’t ask about *every* possible route for data loss.

    What we ask about specifically with respect to “data breaches” is the following:

    “Which of the following has your organization experienced within the last 12 months? Please check all that apply.”

    Which includes a section on investigations of leaks:

    Investigated a suspected leak of confidential or proprietary information via email

    Investigated a suspected violation of privacy or data protection regulations related to email

    Investigated the exposure of confidential, sensitive or private information via a blog or message board posting

    Investigated the exposure of confidential, sensitive or private information via video or audio media posted to a media sharing site

    Investigated the exposure of confidential, sensitive or private information via a posting to a social networking site

    Investigated the exposure of confidential, sensitive or private information via short message service (e.g., SMS, MMS or Web-based short message systems such as Twitter)

    Investigated the exposure of material financial information (such as unannounced quarterly results or significant deals) via a blog or message board posting

    Investigated the exposure of confidential, sensitive or private information via lost or stolen mobile devices (e.g., laptop, smartphone, mobile email device) or storage media

    Investigated a suspected leak or theft of confidential or proprietary information associated with an employee leaving the company (e.g., through voluntary or involuntary termination)

    So, what you see is that we are (1) asking about “investigations” (which may or may not have turned up actual data loss events) and (2)asking about leaks of “confidential, sensitive or private information” which is a fairly broader category than (for example) regulated PFI or PHI. It’s the very broad category of “stuff that our organization would rather not be exposed” which includes trade secrets, corporate intellectual property as well as regulated information.

    These two things may explain why Proofpoint’s data looks a little different from other findings that you mention.

    I don’t view this as a weakness. As I write in the report,
    historically, “this study was designed to examine (1) the level of concern about the content of email (and other forms of electronic messaging) leaving large organizations, (2) the techniques and technologies those organizations have put in place to mitigate risks associated with outbound messaging, (3) the state of messaging-related policy implementation and enforcement in large organizations and (4) the frequency of various types of policy violations and data security breaches.”

    Hope this helps shed some light on our research, which is now in its seventh year. I think you’d find the full report very interesting!

    Best Regards,
    Keith

    Keith Crosley
    Director of Market Development
    Proofpoint, Inc.

  • http://www.securitycurve.com Ed

    Wow! Keith, thank you for the very illuminating reply. Appreciate the context.

  • Clapp Spitz

    Modern technology has proven beyond doubt being a blessing for the purpose of virtually any and every niche. Quite possibly the most modern as well as useful way for endorsing an individual’s enterprise is actually through internet which happens to be all thanks to the technological breakthroughs.

  • http://www.securitycurve.com Ed

    Not sure if this is a spam or not. Erring on the side of caution and letting it fly since there’s no link in it.

TwitterRssFacebook