A staggering 94 percent of companies admit that they are powerless to prevent confidential data from leaving their company by e-mail, according to a new study from Mimecast.
The survey was carried out by Emedia on behalf of the e-mail management provider, and interviewed 125 IT managers in the United Kingdom.
It found that only 6 percent of respondents were confident that anyone attempting to send confidential information by e-mail out of the organization, would be prevented from doing so.
The study also showed that 32 percent of companies would not even be aware that confidential information had been leaked, and therefore would be unable to take steps to minimize the damage or track down the source of the information.
However 62 percent said they would be able to retrospectively identify the e-mail leak once the information had been sent, but they did confess to being unable to prevent its disclosure.
"The figures show that organizations haven't nailed down the e-mail channel," said Tim Pickard, marketing director at Mimecast. "e-mail protection is catching on as a technology that manages information, as the industry moves away from protect-and-defense, to becoming more aware how information flows around the organization."
And it seems the analyst community agrees. "These figures do not surprise me - on the whole employees are not sending stuff out maliciously, but through carelessness or lack of forethought," said Bob Tarzey, security analyst at Quocirca.
"Education can help to some extent, but many employees are using communications tools all day, every day and mistakes will happen, so having checks in place makes sense. Affordability of available technology to tackle the problem is also a problem, as most businesses are unable to invest in the high end, on-premise Data Leak Prevention (DLP) products that large business can."
The survey also revealed that a quarter of companies couldn't retrieve an e-mail that had been sent 3 years ago. A further 29 percent said it would take days, or even weeks - to retrieve the information.
"Most leaks occur via e-mail," confirmed James Blake, Mimecast's chief product strategist. "Two thirds of data leaks occur via e-mail." He highlighted an Infowatch survey, which said that 95 percent of leaks are accidental. "I would go along with that figure," he said. "From what I have seen most leaks are accidental."
Yet e-mail leaks are nothing new. Back in May this year, the Conservative party accidentally e-mailed the voting intentions of 8,000 voters in the Crewe and Nantwhich by election, to a journalist at a local radio station. It was thought that the automated completion of an e-mail address was to blame for the mistake.
The survey also revealed that the biggest e-mail problem facing IT managers is blocking spam, viruses and other malware, which may explain why companies haven't clamped down on e-mail as a leak route before now, despite Infowatch saying that the e-mail route accounted for two third of all data losses, compared to data loss from, say, laptop theft or memory sticks.
"It is not that they have not wanted to clamp down on leaks," said Blake. "They have been aware for some time, but it is more the fact that there wasn't the technology to do so. e-mail protection is a consolidation of several technologies."
"People have been wanting it, and now vendors are selling solutions, most of which are data leak protection products, focused on leaks, and not the environment in which leaks occur," he added. "There are a lot of integration issues to consider, namely integration with encryption, policies, different classification of data etc."
"A data leak solution needs to fit into wider risk management solution," cautioned Blake. He advised IT managers to adopt a more holistic approach when securing their e-mail systems. "They should be information centric in their approach," said Blake. "They should look at what they are trying to protect, how long they need to protect their data for, who uses that data etc."
"The security industry is oriented around keeping customers in a constant state of fear," Blake added. "We need to change attitudes, from perimeters and technology focused, to information focused."
Mimecast offers its unified e-mail management product as an on-demand service, which includes e-mail continuity, anti spam and anti-virus, as well as archive and search, and compliance.