Bound by regulatory requirements and spooked by a wave of data theft, companies are increasingly finding it necessary to monitor employees' business email and Internet activities to ensure nobody's leaking sensitive company data. But employees may not realize some of their colleagues may have been hired specifically to keep an eye on them.
According to a survey of 300 IT decision makers by Cupertino, Calif.-based email security firm Proofpoint, Inc. and Atlanta, Ga.-based Forrester Consulting, some companies are hiring staff specifically for this task.
Regulatory requirements that dictate how information should be disseminated are essentially what's driving the enterprises that monitor employees' activities, said Keith Crosley, director of market development for Proofpoint. But that motivation has shifted in response to mounting headlines about data security breaches in the last 18 months.
"While companies are still motivated by regulation, they are also motivated by the need to catch thieves," Crosley said. "Retailers have suffered recent hacks, so they are getting more interested in keeping customer data under control."
DeKalb Medical Center in Atlanta hasn't hired staff to read outgoing emails, but Sharon Finney, the center's information security administrator, said her organization does worry that sensitive data may leak out by email.
"As a hospital that's becoming all digital, the more information we make electronic, the more possible it is for information to escape by email," Finney said. "There are people out there who want to take advantage of others for their health benefits and employees can easily copy and paste sensitive data from an application to an email."
No significant breaches have occurred at the hospital, and smaller infractions have taken place at the hands of employees who simply needed more education, she said. But there's always the concern about something serious happening, and that concern was reflected in the survey results. Crosley said the survey found 71% of respondents to be "very concerned" about protecting ID and privacy information in outbound emails.
Other highlights from the survey, which was conducted during a two-and-a-half-week period in May, include:
- Nearly half of respondents from companies with at least 20,000 employees said they hire staff to read and analyze outgoing email, compared to 38% of respondents from companies with 1,000 or more employees.
- More than one in three of those polled said they've had to investigate a suspected email leak of sensitive information, and 36.4% have investigated a suspected violation of data security rules in the past year.
- Nearly 1 in 3 companies terminated an employee for violating email policies in the past 12 months, while more than half have disciplined an employee for violating email policies in the past year.
- Respondents estimated that more than one in five outgoing emails has contained content that poses a legal, financial or regulatory risk. The most common form of non-compliant content is a message containing confidential or proprietary business information.
- More than a third of respondents said their companies were negatively affected by the exposure of sensitive or embarrassing information in the last year.
- More than one in five were negatively affected by improper exposure or theft of customer information, while 15% were negatively affected by improper exposure or theft of intellectual property.
- 25.2% were ordered by a court or regulatory body to produce employee email in the last year.
18% investigated the exposure of confidential, sensitive or private information by a third-party vendor or outsourcing firm with whom they share such data.
For more information
Meanwhile, blogs and message boards are becoming greater sources of risk for those surveyed. Nearly one in five companies has disciplined an employee for violating blog or message board policies in the past year, while 7.1% of companies fired an employee for such infractions and 10% investigated the exposure of financial information via a blog or message board posting in the past year.
Crosley said some customers have come to Proofpoint specifically because they concluded technology could track outbound email content more efficiently than humans.
"Using staff to handle content security opens up all these employee privacy issues," he said. "It's better to put technology in place that can be programmed to check for compliance violations and such than to have human beings randomly checking emails."
Finney agreed. "We have more than 200,000 messages going out a month. It's impossible for a single person or multiple people to scan that much email," she said. The organization also doesn't want there to be any questions as to whether some people are being monitored more than others. That too is where technology is the answer.
"From a privacy perspective, having a tool do it excludes the human subjectivity and gives you objective data," said Finney, a Proofpoint customer. "The tool doesn't look at who the email is from. It just says, 'Here's a potential risk.'"