The Insider Incident of the Month blog series sheds light on the growing problem of email exfiltration of sensitive data to unauthorized accounts. It also examines how Proofpoint helps protect against these serious data loss events. Stories in this blog series are anonymized.
In today’s digital landscape, email is still one of the most widespread communication tools. However, email also carries a significant data security risk: the sending of sensitive data to unauthorized accounts. Often, the cause is simple carelessness. Other times, it comes from an insider threat such as a disgruntled or malicious employee. But one thing is always true: sensitive data loss through email can have devastating results. For businesses, these include reputational damage, regulatory fines, and financial losses. There’s also the negative impact on individuals whose personal information has been shared or stolen.
Every month, Proofpoint conducts a number of email data loss assessments. These are a confidential evaluation process to help organizations get visibility of sensitive data that employees or other insiders are sending outside the organization. This is critical insight for building a robust data loss prevention (DLP) strategy that includes email.
In this blog, we examine anonymized results from one of these email data loss assessments to highlight the problem of sensitive data being sent to unauthorized accounts.
Case study: email exfiltration at a large healthcare facility
In the following case study, an employee at a large healthcare facility was unhappy and planning to leave. Before leaving, they emailed a large amount of sensitive patient data to their private email address. This is a common scenario discovered during our assessments. But it’s often surprising to assessment participants. It’s important to remember that not all data sent to personal or unauthorized accounts is sensitive. For example, an employee might simply be emailing work home. Or they might be forwarding booking information for a work-related trip. But it’s vital to detect when they send proprietary, confidential, or valuable information. In a healthcare setting, this might be radiographic scans, patient chart notes, personally identifiable information (PII), and more.
How does an email data loss assessment work?
During an evaluation, we deploy Proofpoint Adaptive Email DLP in a portion of the customer environment. In this phase, the product learns to detect anomalies based on historical email data. A key goal is to identify unauthorized accounts and any sensitive data sent to those accounts over the previous six months.
After the evaluation process, Proofpoint conducts a review of unauthorized accounts detected and instances of sensitive data being sent to those accounts. The review includes the sender, recipient, subject, body, and attachments of any anomalous emails. For participants, this review is often a revealing discussion.
How does Proofpoint identify data sent to unauthorized accounts?
Adaptive Email DLP uses behavioral AI and the industry’s broadest email datasets to analyze working relationships and understand the difference between safe business communication and sensitive data being sent to unauthorized accounts. Adaptive Email DLP analyzes more than six months of email data to learn employees’ normal email sending behaviors, trusted relationships, and how they handle sensitive data. Based on this learning, it accurately detects when unusual or unsafe email behavior occurs.
Detection: exfiltration to unauthorized accounts discovered by Adaptive Email DLP
For the healthcare provider, Adaptive Email DLP detected several data exfiltration events during the initial evaluation process. The table shows some anonymized examples of data that Adaptive Email DLP found being exfiltrated by employees.
Remediation: what were the lessons learned?
Protecting against emails being sent to unauthorized accounts involves the following key steps:
- Adopt a layered approach to email DLP. Rules-based DLP is critical in preventing sensitive data loss, but only for known, predefined risks. An adaptive, behavioral approach is necessary to detect unknown risks that you can’t define in a rule. This includes a worker sending sensitive data to themselves or other unauthorized email accounts.
- Implement in-the-moment warning messages. With an adaptive approach, you can enforce in-the-moment nudges that warn users when risky behavior is identified. This approach helps workers make better decisions. It also reinforces policies and stops emails with sensitive data leaving the organization.
- Use behavioral AI and machine learning. Use the power of behavioral AI and machine learning to analyze context, relationships, sending behaviors, and more. This helps to detect personal and unauthorized accounts and identify when sensitive data is being sent to them.
Conclusion: Proofpoint delivers human-centric email protection
Sensitive data being sent to unauthorized accounts is a significant risk that organizations can’t afford to overlook. Whether due to negligence, insider threats, or malicious leavers, the potential consequences of a data breach are too serious to ignore. With Adaptive Email DLP’s cutting-edge technology, businesses can use behavioral AI to automatically prevent accidental and intentional data loss through email, greatly reducing risk and remediation costs.
Your next steps
- To find out if you have sensitive data being exfiltrated from your organization, sign up for a free, confidential, data loss assessment.
- To learn how Adaptive Email DLP stops sensitive data from being sent to unauthorized accounts, download the solution brief.
