Proofpoint’s Inaugural Data Loss Landscape Report Reveals Careless Employees as Biggest Data Loss Problem for Singapore Organisations

Press-Release-DLL-2024

80% of ​organisations in Singapore experienced data loss in the past year;98% of those saw negative outcomes including revenue losses and reputational damage 

SINGAPORE, 19 March 2024​ – Proofpoint, Inc., a leading cybersecurity and compliance company, today released its inaugural ​Data Loss Landscape ​report, which explores how current ​approaches to ​data loss prevention​ (DLP)​ ​and insider threats​ are holding up against current macro challenges such as ​data proliferation, sophisticated threat actors, and ​generative artificial intelligence (GenAI). The findings reveal that data loss is a problem stemming from the interaction between humans and machines ​​— “careless users” are much more likely to cause those incidents than compromised or misconfigured systems. 

While organisations are investing in ​DLP​ solutions​, Proofpoint’s report shows ​that those investments are often inadequate, with 80% of surveyed organisations in Singapore experiencing data loss in the past year. Almost all of those affected faced a negative outcome such as ​​business disruption ​​and revenue loss (reported by more ​than 63% of affected organisations) or reputational damage (30%). ​Yet, surprisingly, global data from Proofpoint’s Information Protection platform reveals only 1% of users are responsible for 88% of alerts.​  

“Data loss primarily stems from human error,” said Jennifer Cheng, director, cybersecurity strategy, Asia Pacific and Japan, Proofpoint. “As such, it’s no surprise that a significant portion of alerts are triggered by careless users. Yet, incidents originating from malicious or compromised individuals tend to inflict more substantial damage on businesses. While organisations in Singapore are making considerable efforts towards data loss prevention, they often fail to address the issue in its entirety.” 

The ​2024 Data Loss Landscape​ report examines third-party survey responses from ​​600 security professionals at organisations with 1,000 or more employees across 17 industries​ from 12 ​​countries, including Singapore​. These insights were supplemented with data from Proofpoint’s Information Protection platform and Tessian, which Proofpoint acquired last October, to convey the scale of the data loss and insider threats that organisations face.  

“This research illuminates the most critical aspect of the data loss problem: its human causes,” said Ryan Kalember, chief strategy officer, Proofpoint. “Careless, compromised, and malicious users are and will continue to be responsible for the vast majority of incidents, all while GenAI ​tools are​ absorbing common tasks—and ​gaining access to ​confidential data ​in the process​. Organisations need to rethink their ​DLP​ strategies to address the underlying cause of data loss—people’s actions—so they can detect, investigate, and respond to threats across ​all ​channels​ their employees are using​ including cloud, endpoint, email, and web.” 

Key Singapore findings include: 

  • Data loss is a widespread yet preventable problem: Organisations in Singapore experience​d​ the equivalent of more than one incident per month (a mean of 13 data loss incidents per organisation in the past year), and 68% of respondents said the main cause was careless users. Carelessness includes misdirecting emails, visiting phishing sites, installing unauthorised software, and emailing sensitive data to a personal account. ​These are all​ preventable behaviours that could be mitigated with practices such as implementing DLP policy rules for email, web uploads, cloud file synching, and other common data exfiltration methods. 

  • Consequences of malicious actions can be costly: 33% of Singaporean respondents said malicious insiders such as employees or contractors were behind data loss incidents. Malicious actions and departing employees who seek to harm the organisation can have even greater implications than careless insiders because these individuals are motivated by personal gains.​ 

  • Departing employees were identified as a risky user category by respondents in Singapore:  Departing employees ​do not always think they are acting ​maliciously—some simply feel entitled to leave with information they have produced​. Proofpoint global data show​s​ that 87% of anomalous file exfiltration among cloud tenants over a nine-month period was caused by departing employees, underscoring the need for preventative strategies such as implementing a security review process for this user category. 

  • Privileged users are the riskiest: 74% of respondents in Singapore identified employees with access to sensitive data, such as HR and finance professionals, as representing the greatest risk of data loss. Additionally, Proofpoint global data shows that 1% of users are responsible for 88% of data loss events. These findings indicate that organisations must ​prioritise​ best practices such as using data classification to identify and protect business-critical data and the “crown jewels,” as well as monitoring people with access to sensitive data or admin privileges. 

  • Organisations’ data loss prevention programs are maturing: While many programs were initially implemented in response to legal regulations, more than 50% of survey participants in Singapore cited protection of customer and employee privacy as the primary driver alongside protecting intellectual property (50%).

Key global findings include: 

  • Misdirected email is one of the simplest and most significant sources of data loss: According to 2023 data from Tessian, about one-third of employees sent one or two emails to the wrong recipient. That means a business of 5,000 employees can expect to deal with around 3,400 misdirected emails per year. A misdirected email containing employee, customer or patient data can potentially trigger a significant fine under GDPR and other legal frameworks. 

  • Generative AI is ​​the fastest growing area of concern: Tools such as ChatGPT, Grammarly, Bing Chat and Google Gemini are increasing in power and utility, and more users are inputting sensitive data into these applications. “Browsing gen AI sites” has become one of the top five DLP and insider threat alert rules configured by organisations using Proofpoint’s Information Protection platform. 

Emerging channels underscore the importance of regularly reviewing ​DLP​ program​s, as​ these types of rapid developments change user behaviours​,” said Kalember​. ​“​Strategies such as implementing purpose-built ​DLP​ platforms can help advance security programs by enabling security teams to gain full user and data visibility into all incidents and address the full spectrum of human-centric data loss scenarios​.​ Humans are a critical data security variable—and data loss prevention programs must recognise this.”

To download ​the 2024 Data Loss Landscape​ report, please visit: https://www.proofpoint.com/au/resources/threat-reports/data-loss-landscape  

#### 

About Proofpoint, Inc. 

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com

Connect with Proofpoint: X | LinkedIn | Facebook | YouTube 

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.