Companies are becoming more alarmed about sensitive information leaking out of email, but many firms still rely on manual processes to scan messages and are even hiring employees to sift through email, according to a new survey.
A survey on outbound email and data loss prevention found that 41% of U.S.-based companies with 20,000 or more employees say they employ staff to read or otherwise analyze outbound email. Overall, more than 29% of U.S. companies surveyed employ such staff.
The survey, Outbound Email and Data Loss Prevention, 2008 was conducted by Cambridge, Mass.-based Forrester Consulting. It was commissioned by email security vendor Proofpoint. The results were based on 424 responses from companies with 1,000 or more employees.
The trend of hiring people to read email is expected to rise, according to the survey. An additional 15% of com¬panies surveyed said that they intend to deploy such staff in the future.
While companies are very concerned about data leakage from outbound email, they are not adopting email content screening software in large numbers. Of those that do, healthcare and financial services firms lead the way, deploying more advanced technologies to monitor outbound email. Twenty-two percent of U.S.-based respondents said they deployed technologies designed to detect protected healthcare information in outbound email. Less than 25% said they are using software to detect private personal or financial information such as Social Security numbers.
"We expect to see the number of companies conducting manual reviews decline as technology adoption improves," said Keith Crosley, director of corporate communications at Proofpoint.
Crosley admitted that companies could be finding it cheaper to hire an employee to conduct content monitoring of outgoing email rather than deploying software to handle the job.
"Concern about false-positives is very big, but these technologies are viewed as an enabler," he said. "If they don't have this kind of technology in place, can't be transmitting personal healthcare information without it being encrypted."
The software can also be complex to deploy and use, said Chenxi Wang, a principal analyst of security and risk management at Forrester Research Inc. It's also not 100% foolproof, Wang said of the technology.
"I am not completely surprised that some companies are using humans to inspect email. But I doubt they are inspecting all outbound emails," Wang said, adding that companies could be hiring a person to inspect the results and exceptions alerted from auto content scanning.
To work effectively, content scanning technologies require a fair amount of configuration and tuning, Wang said.
"For instance, the word "Viagra" is a completely legal business word for a healthcare organization, while it can be listed as a spam word for others," Wang said in an email exchange. "There is no one-size-fits-all solution."
In a SearchSecurity.com tip on outbound content filtering, Mike Rothman is president and principal analyst of Security Incite, said outbound content filtering and leak prevention technologies may become a feature of perimeter platforms and endpoint security suites. Rothman said that currently there is no silver bullet or a generic solution to the problem.
"If you've determined that 95% of your organization's risk is derived from potential email message leaks, then using the outbound filtering capabilities within your existing email security device will suffice," Rothman said.
As more employees use mobile devices, such as iPhones and BlackBerry's to send email, companies are growing more concerned about data leakage. Fifty-six percent of U.S. respondents said they were are "concerned" or "very concerned" about confidential or proprietary information slipping into outbound email messages sent from smartphones and other wireless, mobile devices.
Web-based email and instant messaging also were areas that companies were fearful in losing sensitive information. In the UK, 66% of those surveyed said they have deployed technology to monitor content in Webmail and other HTTPtraffic, such as Microsoft Hotmail and Google Gmail. Blogging and social networking sites are also areas of concern.
The number of employees terminated as a result of violating email policies has remained steady, according to Proofpoint's Crosley. About 26% of U.S. companies surveyed said they terminated an employee for violating email policies in the past 12 months. More than half of U.S. companies surveyed disciplined an employee for violating email policies in the past year.
Crosley said formal training on email policies continues to lag. Only one-third of companies said they had such training.
"It's relatively easy to get fired for an employee gaff, but many firms are not training employees properly," he said. "If organization has regulatory restrictions, formal training should be in place."
Policy-based email encryption is on the rise, but it is still expensive to use the technology, according to the survey. Thirty-two percent of U.S.-based companies said they deployed such an email encryption technology to send sensitive messages to other customers and employees. The trend is being driven primarily by healthcare organizations that need to comply with the Health Insurance Portability and Accountability Act (HIPPA). Still, less than half of email that should be encrypted is actually sent in encrypted form.
Crosley said the cost of using encryption will come down over time. He sees growth in the financial services industry, where there is a big concern about consumer financial data leaking into the wrong hands.
"Healthcare leads the way because there is such a big requirement there but there's a big uptake in encryption for retailers and online merchants," Crosley said.