Report: Why DLP Has Failed and What the Future Looks Like

A new report from email security firm Tessian examines the state of data loss in organizations. This report reveals that nearly half of employees (48%) are less likely to follow safe data practices when working from home. The State of Data Loss Prevention 2020 report reveals how the global shift to remote working poses new security challenges for businesses and why traditional security solutions are failing to curb the problem of insider threat and accidental data loss.

Remote Work Compounds Insider Threats

While 91% of IT leaders trust their staff to follow best security practices when working remotely, over half of employees (52%) believe they can get away with riskier behavior when working from home. Half (48%) cite “not being watched by IT” as a reason for not following safe data practices, closely followed by “being distracted”(47%). Additionally, staff report that security policies are a hindrance — 51% say such policies impede productivity, and 54% will find workarounds if security policies stop them from doing their jobs.

Eighty-four percent of IT leaders say data loss prevention is more challenging when employees work from home, and 58% think information is less secure when working remotely.

Data Loss is Pervasive and IT Leaders are Struggling to Contain It

According to the 2020 Verizon Data Breach Investigations Report, 30% of breaches involve internal actors exposing company information from negligent or malicious acts. Insider threats and data loss over email are particularly challenging for IT leaders to control due to a lack of visibility of the threat.

Key findings from Tessian’s report: 

  • US employees are more than twice as likely as UK workers to send emails to the wrong person (72% vs. 31%).
  • IT leaders in US organizations with over 1,000 employees estimate that 480 emails are sent to the wrong person every year. Yet, Tessian platform data reveals that employees send at least 800 misdirected emails per year —1.6x more than IT leaders estimate.
  • US employees are twice as likely to send company data to their personal email accounts than their UK counterparts (82% vs. 35%).
  • IT leaders in US organizations with over 1,000 employees estimate that just 720 emails are sent to unauthorized accounts a year. The reality, per Tessian platform data, is at least 27,500 unauthorized emails are sent a year — 38x more than IT leaders estimate.
  • One-third (34%) of employees take company documents with them when they leave a job, with US workers twice as likely as UK workers to do so (45% vs. 23%).

IT leaders rely on security awareness training, policies, and legacy technologies to prevent data loss, yet these practices may not be as effective as they think. The report finds that employees who receive security training every 1-3 months are almost twice as likely to send company data to personal accounts as those who receive training once a year (80% vs. 49%).

“Businesses have adapted quickly to the abrupt shift to remote working. The challenge they now face is protecting data from risky employee behaviors as working from home becomes the norm,” said Tim Sadler, CEO, and co-founder of Tessian. “Human error is the biggest threat to companies’ data security, and IT teams lack true visibility of the threat. Business leaders need to address security cultures and adopt advanced solutions to prevent employees from making costly mistakes that result in data breaches and non-compliance. It’s critical these solutions do not impede employees’ productivity, though. We’ve shown that people will find workarounds if security gets in the way of them doing their jobs, so data loss prevention needs to be flexible if it’s going to be effective.”

Differences by Age and Company Size

In addition to differences in safe security practices by region, there are also notable contrasts among age groups and startups vs. large enterprises. For example:

  • 50% of workers from small companies (2-49 employees) agree they’re less likely to follow safe data practices when working from home, compared to 30% from companies with 1,000 employees or more.
  • The 18-30 age demographic is 3x more likely to send emails to the wrong person — 69% vs. 21% of workers who are 51 or older. And while 31-40-year-olds are more careful on email, over half (57%) admit to sending misdirected emails.
  • 41% of workers aged 18-30 have taken company documents with them when they’ve left a job, compared to only 13% of workers aged 51 and older.

About the research

In addition to using Tessian platform data, Tessian commissioned OnePoll to survey 2,000 professionals (1,000 in the US and 1,000 in the UK) across various company sizes and industries, as well as 250 IT professionals to identify trends in data loss based on human behavior and error. 

About Tessian

Tessian builds technology to empower people to work safely, without security getting in their way. Tessian’s Human Layer Security platform automatically protects employees on email – where they spend 40% of their time – from risks like data exfiltration, accidental data loss, and phishing. The company has raised $60m from security investors like Sequoia and Accel and has offices in San Francisco and London.

Follow Brilliance Security Magazine on Twitter, Facebook, and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.