031
business processes are disrupted because the security
policy is stricter than needed?
In our research, we analyzed traffic being sent from
inside the organizations to the outside. We examined
both HTTP and SMTP traffic. For example, in the case
of emails sent to an external recipient, a Check Point
device inspected the email body, email recipients and
email attachments (even if zipped). We also inspected
web browsing activities, such as web posts and web mails.
As a security policy on these devices, we configured out-
of-the-box pre-defined data types to detect sensitive
data, forms and templates (such as credit card numbers,
source code, financial data and more) that might indicate
a potential data leakage if falling into the wrong hands.
A detailed list of data types can be found in Appendix D.
Potential Data Loss in Your Organization
In our research, we found that 54% of organizations
had at least one event which might indicate a potential
Here are some examples of data loss incidents caused
unintentionally by employees during 2012:
In October 2012,
Stoke-on-Trent City Council
in the UK was fined £120,000 after a member of its
legal department sent emails containing sensitive
information to the wrong address. Eleven emails
intended for a lawyer working on a case ended up being
sent to another email address due to a typing mistake.
Japan’s newspaper
Yomiuri Shimbun
fired one of
its reporters during October 2012, for accidentally
sending sensitive investigative information to the
wrong people. The reporter meant to send some of his
research findings to colleagues via email, but instead
sent the messages to several media outlets, disclosing
the identities of his sources
24
.
In April 2012,
Virginia Military Institute
in
Lexington inadvertently sent out students‘ Grade
Point Averages via an email attachment. An email was
sent to the president of the graduating class containing
an attached spreadsheet revealing the grade point
average of every senior. Unaware of the additional
attachment, the president then forwarded the message
to another 258 students. The original intention was to
email only a single spreadsheet that contained names
and residences so students could confirm their mailing
addresses
25
.
Texas A&M University
accidentally sent an email
with an attachment containing 4,000 former students’
Social Security numbers, names and addresses to an
individual who subsequently notified the university of
the mistake. The incident took place in April 2012
26
.
Oops… I Sent the Email
to the Wrong Address
61
%
Finance
50
%
Industrial
45
%
Telco
33
%
Consulting
54
%
Others
70
%
Government
Percentage of Organizations with at least
One Potential Data Loss Event per Industry
(% of Organizations)
Chart 4-A
ׁ
Source: Check Point Software Technologies