Why DLP Has Failed and What the Future Looks Like

Data loss - whether accidental or intentional - is a big problem for organizations. Why? Because people control our data, and people break the rules and make mistakes.
We’re only human.
Why DLP Has Failed and What the Future Looks Like

Email threats from external bad actors like spear phishing and business email compromise dominate headlines. But email threats from insiders are steadily rising.

In fact, there’s been a 47% increase in incidents over the last two years; this includes accidental data loss and deliberate data exfiltration by negligent or disgruntled employees or contractors.

While every incident of data loss or leakage may not result in a breach, many do, and the cost can be tremendous. And, with GDPR fines totaling nearly €50 million in the first quarter of 2020 alone, data privacy regulations are going to drive the cost of resolution even higher.

That’s one reason why data loss prevention (DLP) is one of the top spending priorities for IT leaders and why email is the threat vector most IT leaders are concerned about protecting. 

The question is: Do security, compliance, and IT leaders have true visibility over how their employees are handling and mishandling data on email? 

According to our research, not yet. But, after reading this report, they should have enough information to inform their view.

IT leaders are over-reliant on security training.
While the DLP market is saturated with rule-based software, IT leaders actually count security awareness training and “following company policies and procedures” as the most effective ways to prevent data loss.

Perhaps that’s why over half (61%) of employee survey respondents have training every 6 months or more and highly regulated industries like Financial Services and Healthcare have it even more frequently.

Security awareness training confronts the crux of data loss by educating employees on best practice and company policies. But, how effective is training and can it influence and actually change human behavior for the long-term?

More training doesn’t equate to fewer security incidents.

The percentage of the employees surveyed who admit to sending misdirected emails (emails accidentally sent to the wrong person) is the highest in organizations that provide security awareness training the most frequently: 63% of employees who receive training every 1-3 months say they remember sending emails to the wrong person. This number drops to 43% in organizations that conduct training once a year or less often.

Likewise, employees who receive training once every 1-3 months were almost twice as likely to say they’ve sent company data to personal email accounts as employees who receive training just once a year. At Tessian we call these “unauthorized emails”.

Employees aren’t reporting their mistakes.
One of the reasons IT leaders don’t have true visibility over the flow of data within their organizations is because employees don’t always report their mistakes internally.

Whether it’s because they’re afraid to admit wrongdoing or simply because they don’t know the implications or their internal reporting processes, this means many security leaders underestimate how many misdirected emails are sent within their organization every year.

IT leaders working at organizations with 1,000+ people in the US estimate 480 emails are sent to the wrong person every year. On the other hand, according to Tessian data, an average of 800 emails are misdirected in organizations with 1,000 employees during a single year.

The most culpable? Young, digital natives.
Understandably, behaviors vary based on different demographics, but generational differences are the most stark.

For example, according to the survey respondents, 18-30-year-olds – who have grown up in an “always-on” culture – are 3x more likely to send misdirected emails than workers who are 51+. And, while 31-40 year olds are more careful on email, over half (57%) admit to firing off an email to the wrong person.

This is especially concerning because millennials (aged 22-38) represent the largest labor market share of any single generation.

People break the rules more often than IT leaders think.
While sending company data to personal email accounts isn’t always malicious, it is often against security policies.

Of course, sending company data to a personal email account can also be a sign of intentional data exfiltration by, for example, a disgruntled employee on their way out or an insider threat.

This happens much more often than IT leaders think. While they estimate just 720 unauthorized emails are sent each year in organizations with 1,000+ employees, according to Tessian data, an average of 27,500 unauthorized emails are sent a year in an organization with 1,000 employees.

That’s 38x more than estimated.

US employees are the least careful and compliant.

Based on the survey results, employees in the US break the rules more often than those in the UK. Not only are they twice as likely to send unauthorized emails, they’re also almost twice as likely to download, save, or otherwise exfiltrate work-related documents before leaving or after being dismissed from a job.  

They also seem to make more mistakes. The likelihood of misdirecting an email doubles in the US, with 72% of US employees admitting to doing so compared to just 31% in the UK. 

This suggests data privacy regulations like GDPR – which sparked a 44% increase in cybersecurity investment in the UK – could be influencing how people handle data. Will new standards like the CCPA effect similar positive changes in the US?

Remote-working brings new challenges.

As many organizations have been forced to adopt remote-working structures and policies – and as more are opting to keep these flexible structures – maintaining visibility over data flow is now more difficult. The new office is a virtual one, which means past strategies have become obsolete. In fact, they became obsolete the day companies switched to remote-working. It’s no wonder, then, 84% of IT leaders say DLP is more challenging when their workforce is working remotely. 

Nonetheless, 91% of IT leaders say they trust their employees to follow security best practice while out of the office. 

Adjusting to the “new normal”.

When asked why they were less likely to follow safe data practices when working from home, employees cited not working on their usual devices (50%), not being closely monitored by IT teams (48%), and being distracted (47%) as the top three reasons.

It makes sense. When working remotely – especially from home – people have other responsibilities or distractions like childcare and roommates and, more often than not, they don’t have dedicated workstations like they do in their normal office environment. This isn’t trivial.

Risky Business.

Once again, there is a marked difference in responses based on age, region, and frequency of training. While just 19% of employees 51 and over feel they can get away with riskier behavior while working from home, 59% of employees aged 18-30 said the same. Likewise, US workers are almost twice as likely to agree they can get away with more while out of the office. 

Without the watchful eye of IT staff, employees are inclined to seek out the easiest or most convenient path to getting their jobs done. And, when you consider over half (51%) of employees say security policies impede their productivity, the easiest or most convenient path often involves skirting around security rules. 

Next-Gen DLP.

Machine learning based protections are a step in the right direction towards DLP, though. In fact, one in five (19%) security leaders believes machine learning and intelligent automation is the most effective way to prevent data loss. 

Without inhibiting employees or burdening IT teams, machine learning algorithms trained on millions of your own historical email data points can understand normal patterns of employee behavior and accurately and automatically predict when they’re making a mistake or breaking the rules. 

Next Generation DLP takes human error out of the cybersecurity equation, protects your people, and empowers them to work safely wherever they are.  

The Key Insights.
While sending an email to the wrong person, forwarding company data to a personal email account, or disregarding security policies every now and then may seem inconsequential to employees, these behaviors can and do lead to data breaches.

According to Tessian’s own data and survey results:

  • 1.6x more misdirected emails are sent than IT leaders estimated and unauthorized emails are sent 38x more frequently than estimated.
  • Employees who receive training once every 1-3 months are almost twice as likely to send company data to personal email accounts as employees who receive training just once a year.
  • While 91% of IT leaders trust their employees to follow safe data practices while working from home, 48% of employees say they’re less likely to follow safe data practices when working from home.
  • Dozens more insights in the full report.
Why DLP Has Failed and What the Future Looks Like

Download the full report for even more insights about how to effectively prevent data loss, the challenges associated with remote-working, and the behaviors and attitudes of employees.

METHODOLOGY
In addition to using Tessian platform data, we commissioned OnePoll to survey 2,000 working professionals: 1,000 in the US and 1,000 in the UK; additionally OnePoll surveyed 250 IT leaders in the US.

Survey respondents varied in age from 18-51+, occupied various roles across departments and industries, and worked within organizations ranging in size from 2-1,000+.

We also interviewed several IT, security, and compliance professionals with diverse backgrounds, all of whom provided insights that helped frame this report.

Publically available third-party research was also used, with all sources listed in the downloadable PDF.

Midpoints and averages were used when calculating some figures and percentages may not always add up to 100% due to rounding.