Fri, Nov 22, 2024 | Jumada al-Awwal 20, 1446 | DXB ktweather icon0°C

Careless employees are UAE organisations’ biggest data loss problem

94% of UAE organisations experienced data loss in the past year, Proofpoint report shows

Published: Tue 19 Mar 2024, 3:49 PM

Updated: Tue 19 Mar 2024, 3:50 PM

Top Stories

An astounding 94 per cent of surveyed organisations in the UAE experienced data loss in the past year, a study showed on Tuesday.

According to the inaugural Data Loss Landscape report by Proofpoint, Inc., a leading cybersecurity and compliance company, almost all (94 per cent) of those affected faced a negative outcome, such as business disruption and revenue loss (reported by 55 per cent of affected UAE organisations) or regulatory violation/fine (47 per cent).

The report explores how current approaches to data loss prevention (DLP) and insider threats are holding up against current macro challenges such as data proliferation, sophisticated threat actors, and generative artificial intelligence (GenAI). The findings reveal that data loss is a problem stemming from the interaction between humans and machines — “careless users” are much more likely to cause those incidents than compromised or misconfigured systems.

While organisations are investing in DLP solutions, Proofpoint’s report shows that those investments are often inadequate.

Emile Abou Saleh, senior regional director at Proofpoint Middle East, Turkey & Africa, said: “Data loss poses a severe threat, where a simple oversight can lead to the loss of critical data. It is, therefore, crucial for employees to understand the role they play in data protection and that it is not just an IT problem. As work models evolve, organisational strategies for securing data across all platforms must also adapt. By enhancing data loss prevention policies and insider risk strategies across the board—from endpoints and cloud apps to email and the web— organisations will be able to bolster their defences against the modern security landscape, ensuring a secure digital future for everyone involved.”

“This research illuminates the most critical aspect of the data loss problem: its human causes,” said Ryan Kalember, chief strategy officer of Proofpoint. “Careless, compromised, and malicious users are and will continue to be responsible for the vast majority of incidents, all while GenAI tools are absorbing common tasks—and gaining access to confidential data in the process. Organisations need to rethink their DLP strategies to address the underlying cause of data loss—people’s actions—so they can detect, investigate, and respond to threats across all channels their employees are using including cloud, endpoint, email, and web.”

The 2024 Data Loss Landscape report examines third-party survey responses from 600 security professionals at organisations with 1,000 or more employees across 17 industries from 12 countries. These insights were supplemented with data from Proofpoint’s Information Protection platform and Tessian, which Proofpoint acquired last fall, to convey the scale of the data loss and insider threats that organisations face.

Key global findings include:

• Data loss is a widespread yet preventable problem: organisations experienced the equivalent of two incidents per month (a mean of 24 data loss incidents per UAE organisation in the past year), and 75 per cent of respondents said the main cause was careless users. Carelessness includes misdirecting emails, visiting phishing sites, installing unauthorised software, and emailing sensitive data to a personal account. These all-preventable behaviors that could be mitigated with practices such as implementing data loss prevention policy rules for email, web uploads, cloud file synching, and other common data exfiltration methods.

• Misdirected email is one of the simplest and most significant sources of data loss: According to 2023 data from Tessian, about one-third of employees sent one or two emails to the wrong recipient. That means a business of 5,000 employees can expect to deal with around 3,400 misdirected emails per year. A misdirected email containing employee, customer or patient data can potentially trigger a significant fine under GDPR and other legal frameworks.

• Generative AI is the fastest growing area of concern: Tools such as ChatGPT, Grammarly, Bing Chat and Google Gemini are increasing in power and utility, and more users are inputting sensitive data into these applications. “Browsing gen AI sites” has become one of the top five DLP and insider threat alert rules configured by organisations using Proofpoint’s Information Protection platform.

Emile Abou Saleh, regional director, Middle East and Africa at Proofpoint

Emile Abou Saleh, regional director, Middle East and Africa at Proofpoint

• Consequences of malicious actions can be costly: Nineteen per cent of respondents said malicious insiders such as employees or contractors were behind data loss incidents. Malicious actions and departing employees who seek to harm the organisation can have even greater implications than careless insiders because these individuals are motivated by personal gains.

• Departing employees were identified as one of the riskiest users (22 per cent): Departing employees do not always think they are acting maliciously—some simply feel entitled to leave with information they have produced. Proofpoint data shows that 87 per cent of anomalous file exfiltration among cloud tenants over a nine-month period was caused by departing employees, underscoring the need for preventative strategies such as implementing a security review process for this user category.

• Privileged users are the riskiest: Almost three-quarters (72 per cent) of UAE respondents identified employees with access to sensitive data, such as HR and finance professionals, as representing the greatest risk of data loss. Additionally, Proofpoint data shows that 1 per cent of users are responsible for 88 per cent of data loss events. These findings indicate that organisations must prioritise best practices such as using data classification to identify and protect business-critical data and the “crown jewels,” as well as monitoring people with access to sensitive data or admin privileges.

• Organisations’ data loss prevention programs are maturing: Many DLP programs in the UAE are initially implemented in response to legal regulations, with more than one-third (36 per cent) of survey participants citing meeting regulatory compliance standards as the primary driver. Protecting the privacy of employees and customers and minimising costs associated with data loss came in as the top drivers for UAE organisations (both at 50 per cent).

“Emerging channels underscore the importance of regularly reviewing DLP programs, as these types of rapid developments change user behaviors,” said Kalember. “Strategies such as implementing purpose-built DLP platforms can help advance security programs by enabling security teams to gain full user and data visibility into all incidents and address the full spectrum of human-centric data loss scenarios. Humans are a critical data security variable—and data loss prevention programs must recognise this.”



Next Story