A survey found that every UK organisation without exception had suffered multiple instances of data leakage

Orthus today published the results from monitoring over 100,000 hours of user activity captured through the delivery of their data leakage audit service.

Surveys completed in the last 12 months have looked in detail into the ways in which internal users access, process, store and transmit sensitive information including personal information, financial information, product roadmap and future product detail, contracts, pricing information and HR records.

The findings from the survey showed that every organisation without exception had suffered multiple instances of data leakage – many of them serious and potentially very damaging. The results clearly show that the threat from within is both real and continues to be overlooked. Trusted users are the most likely to be the source of information leaks.

The analysis of 100,000 hours of user activity pinpoints exactly who, where, when and how critical information assets are removed from the infrastructure and demonstrated that the real problem – and the solution – is all about the user.

Key results from the survey showed:

-Corporate data leakage was most likely to occur through mobile devices with 68% of all events identified linked to mobile rather than fixed desktop systems.

-IT and customer services departments had the highest incidence of data leakage.

-Most incidents of data leakage occur during the extended working day (7-7 Monday to Friday).

-The applications most favoured by users to remove sensitive data were identified as web mail, instant messaging (IM) and social networking web sites.

-The top 4 data leakage vectors were identified as mobile devices, web mail, removable media and corporate email.

-All data leakage incidents identified could have been prevented. Existing corporate security policies were not implemented, monitored or enforced.

Richard Hollis, managing director of Orthus said: ‘Companies continue to try and protect information by protecting the architecture deploying devices to protect devices. They neglect the protection of data’.

Hollis went on to say ‘Until organisations accept that the majority of losses are associated with authorised users and implement the necessary controls where they are effective – between the user and the information itself – these losses will continue’.