Companies routinely share sensitive information via email
PhoneFactor announced a new survey data regarding the vulnerability of company email systems. The majority of respondents reported that highly sensitive information about their corporate strategy or customer base is communicated via email. For 80% of respondents, the only thing standing between an attacker and this email communication is a username and password.
When the personal email accounts of Mitt Romney and Sarah Palin were hacked it made the news, but the vast majority of people don’t believe their personal or business email is under attack. Cases like the decade-long monitoring of email belonging to Nortel executives prove that email communication is in fact incredibly valuable and therefore highly targeted by cybercriminals.
To test the point, we surveyed more than 400 IT professionals about the types of information sent via their company email systems and what they are doing to secure access to it.
Nearly three-quarters (73%) of respondents consider the data they transmit in company email to be highly sensitive.
Survey respondents indicated the following proprietary documents were likely sent via their company email: Proprietary Company Information – Business Process and Corporate Strategy (59%) Sales Communications – Sales Quotes and RFPs (54%) Sensitive Information About Customers (49%) Intellectual Property – Product Roadmaps and Designs (48%) Company Financials – Budgets and Sales Forecasts (46%)
Larger companies also reported HR Information, such as compensation plans and reviews, (47%) and Individual Employee Information, such as social security numbers and personal data, (38%) as being commonly sent through email.
The information their corporate executives transmit is considered even more sensitive, including material like: Budgeting Plans/Details (76%) Product Roadmap Plans (63%) Sensitive Compensation Issues (47%) Potential Layoffs and Reorganizations (45%) M&A Activities (33%)
If information from a senior executive was compromised, respondents surmised the top three impacts to their business would include: Public Embarrassment/Hit to Company Reputation (59%) Lost Trust Among Customers (54%) Lost Trust Among Employees (49%)
The results were slightly different in healthcare where overall impacts were much higher and Legal Fines/Penalties (53%) were also a key concern, as well as in government where Disruption to Workflow (36%) was a top concern.
For larger organizations, Public Embarrassment was seen as a potential impact for 73% of respondents with Lost Trust Among Customers at 57% and Lost Trust Among Employees at 61%. For nearly one-third (30%) of respondents, these impacts translated into potential Lost Shareholder Value.
74% of respondents were either not at all confident or only somewhat confident that their existing security precautions are adequate to prevent an attacker from penetrating their company email system. Further, 80% said that that if a bad guy obtained an employee’s username and password, he could gain access to at least some users’ accounts.
When asked if two-factor authentication is critical to prevent unauthorized access to company email, nearly three-quarters (74%) felt it was at least somewhat critical, with 47% rating it as very or extremely critical. However surprisingly, only 26% of respondents currently require two-factor authentication to secure remote access to company email for all of their users.
With individuals accessing business email from a growing number of remote access points, the exposure for companies is significant and growing. Use of personal smartphones and/or tablets (70%), referred to as BYOD, is nearly tied with access from company supplied mobile devices (67%).
Most companies (80%) allow access from personal desktop and/or laptop computers. Less than 2% of respondents reported that their employees do not access company email from outside the office.
There seems to be a heightened awareness of the need to secure email systems. Nearly all respondents (96%) found it important to secure access to company email, with 71% rating it very or extremely important. Additionally, 41% have elevated the importance of email security in the past 12 months, and one-third (33%) are planning to add additional security controls to company email in the next year.
As indicated by these survey results, organizations clearly understand the risk they face regarding remote access to company email as well as the importance of securing it. However, a large majority do not feel confident that they have adequate protections in place. Companies are moving to enhance security procedures in what they see as an increasingly unsafe environment.