The Insider Breach of the Month blog series sheds light on the growing problem of email exfiltration of sensitive data to unauthorized accounts. It also examines how Proofpoint helps protect against these serious data loss events. Stories in this series have all been anonymized.
Proofpoint regularly catches insider data loss events during our complimentary email data loss assessments. During these assessments, Proofpoint helps companies identify if their sensitive data is being exfiltrated to unauthorized email accounts, like personal freemail accounts, private domain email accounts or even a family member’s email account.
Today, we’ll explore a major breach at a large law firm, which was caused by an employee who had accepted a role at another practice.
The scenario
In this case, the customer was a large law firm with locations in multiple countries. An employee accepted a new role at a competing firm and then proceeded to send multiple pages of attachments to their personal account. This exposed a massive amount of the law firm’s sensitive data, putting it at risk for a data breach.
The threat: How did the data loss happen?
On the last day of their employment, the departing employee emailed the data to a personal email account. The chart below shows the anomalous activity in red.
This reflects a typical pattern. When an employee leaves a company, there’s often an increase in the volume and frequency of sensitive data being sent within a short span of time.
Proofpoint Adaptive Email DLP chart that shows anomalous email pattern of the departing employee.
The assessment: How Proofpoint identified this data loss
We deployed Adaptive Email DLP to learn from and detect anomalies based on six months of historical email data.
Adaptive Email DLP uses Proofpoint Nexus behavioral AI and the industry’s broadest email data sets. This enables it to analyze working relationships to understand when sensitive data is being sent to unauthorized accounts rather than during regular business communication.
By analyzing and learning normal email sending behaviors, trusted relationships and how users handle sensitive data, Adaptive Email DLP can detect when anomalous email behavior is occurring.
During the assessment, Adaptive Email DLP identified unauthorized email accounts and anomalous activity related to the sensitive data that was sent to those accounts. Then, we met with the customer to review specific events where we detected sensitive data loss.
As part of the review, we provided a list of all unauthorized accounts that were detected. We also provided all the emails that were sent to those accounts. Details about those emails included:
- Sender
- Recipient
- Subject
- Attachments
Anonymized and redacted examples of the data that was exfiltrated.
Prevention: What are the lessons learned?
Here are some tips to stop your data from being sent to unauthorized accounts:
- Adopt a multilayered approach. Rules-based email data loss prevention (DLP) is critical in preventing sensitive data loss. However, it focuses on content and rules are based on known risks and specific RegEx patterns. An adaptive, behavioral approach is necessary to detect unknown risks that you can’t define in a rule. Look for a tool that uses behavioral AI and machine learning. These technologies can analyze context and the relationships between a sender and a recipient, as well as other important details to detect whether data is being sent to an unauthorized account.
- Use in-the-moment warnings. With an adaptive approach, you can implement in-the-moment nudges that warn users when their behavior is risky. This helps them make informed decisions. Plus, it reinforces your security policies. And it prevents emails with sensitive data from leaving your organization.
Proofpoint delivers human-centric protection
Sensitive data being sent to unauthorized accounts is a significant risk that organizations cannot afford to overlook.
Proofpoint Adaptive Email DLP offers a powerful, easy to deploy solution to mitigate this risk. By combining advanced Proofpoint Nexus behavioral AI and machine learning with ease of use, organizations can modernize their current Email DLP by preventing accidental and intentional data loss, helping to keep their sensitive data safe while empowering employees to communicate more effectively and securely.
Proofpoint is a leader in human centric security. We secure 85% of the Fortune 100. And we’ve automatically prevented more than 1 million breaches for our customers. Sign up for a confidential complimentary data loss assessment.
To learn how to stop sensitive data from being sent to unauthorized accounts, download our Adaptive Email DLP solution brief today.