1% of users are responsible for 88% of data loss events
Data loss is a problem stemming from the interaction between humans and machines, and ‘careless users’ are much more likely to cause those incidents than compromised or misconfigured systems, according to Proofpoint.
While organizations are investing in Data Loss Prevention (DLP) solutions, Proofpoint’s report shows that those investments are often inadequate, with 85% of surveyed organizations experiencing data loss in the past year.
More than nine in 10 of those affected faced a negative outcome such as business disruption and revenue loss (reported by more than 50% of affected organizations) or reputational damage (40%). Yet, surprisingly, data from Proofpoint’s platform reveals only 1% of users are responsible for 88% of alerts.
“This research illuminates the most critical aspect of the data loss problem: its human causes,” said Ryan Kalember, chief strategy officer, Proofpoint. “Careless, compromised, and malicious users are and will continue to be responsible for the vast majority of incidents, all while GenAI tools are absorbing common tasks—and gaining access to confidential data in the process. Organizations need to rethink their DLP strategies to address the underlying cause of data loss—people’s actions—so they can detect, investigate, and respond to threats across all channels their employees are using including cloud, endpoint, email, and web.”
Data loss is a widespread yet preventable problem
Organizations experienced the equivalent of more than one incident per month (a mean of 15 data loss incidents per organization in the past year), and 71% of respondents said the main cause was careless users. Carelessness includes misdirecting emails, visiting phishing sites, installing unauthorized software, and emailing sensitive data to a personal account.
These are all preventable behaviors that could be mitigated with practices such as implementing DLP policy rules for email, web uploads, cloud file synching, and other common data exfiltration methods.
According to 2023 data from Tessian, about one-third of employees sent one or two emails to the wrong recipient. That means a business of 5,000 employees can expect to deal with around 3,400 misdirected emails per year. A misdirected email containing employee, customer or patient data can potentially trigger a significant fine under GDPR and other legal frameworks.
Tools such as ChatGPT, Grammarly, Bing Chat and Google Gemini are increasing in power and utility, and more users are inputting sensitive data into these applications. “Browsing gen AI sites” has become one of the top five DLP and insider threat alert rules configured by organizations using Proofpoint’s Information Protection platform.
Consequences of malicious actions can be costly
20% of respondents said malicious insiders such as employees or contractors were behind data loss incidents. Malicious actions and departing employees who seek to harm the organization can have even greater implications than careless insiders because these individuals are motivated by personal gains.
Departing employees do not always think they are acting maliciously—some simply feel entitled to leave with information they have produced. Proofpoint data shows that 87% of anomalous file exfiltration among cloud tenants over a nine-month period was caused by departing employees, underscoring the need for preventative strategies such as implementing a security review process for this user category.
Organizations’ data loss prevention programs are maturing
63% of respondents identified employees with access to sensitive data, such as HR and finance professionals, as representing the greatest risk of data loss.
Additionally, Proofpoint data shows that 1% of users are responsible for 88% of data loss events. These findings indicate that organizations must prioritize best practices such as using data classification to identify and protect business-critical data and the “crown jewels,” as well as monitoring people with access to sensitive data or admin privileges.
While many programs were initially implemented in response to legal regulations, more than 50% of survey participants cited protection of customer and employee privacy as the primary driver. The finance industry is an exception—regulation was the most common response for these organizations, followed by the healthcare and government sectors.
“Emerging channels underscore the importance of regularly reviewing DLP programs, as these types of rapid developments change user behaviors,” said Kalember. “Strategies such as implementing purpose-built DLP platforms can help advance security programs by enabling security teams to gain full user and data visibility into all incidents and address the full spectrum of human-centric data loss scenarios. Humans are a critical data security variable—and data loss prevention programs must recognize this.”