2013 CHECK POINT ANNUAL SECURITY REPORT
04
_ DATA LOSS INCIDENTS IN YOUR NETWORK
032
data loss event in an average time of 6 days. We took
into account events that included internal information
(see list of data types in Appendix D) which was sent to
external resources, either by sending to an external email
recipient or posting online.
Our research indicates that Governmental and Financial
organizations are in high risk of potential data loss (see
chart 4-A).
Internal Emails Sent Outside the
Organization
In many cases, data loss events occur unintentionally through
an employee sending email to the wrong recipient. In our
research we looked at two types of emails that might indicate
such cases. The first type consists of emails that are sent with
internal visible recipients (To and CC) and external recipients
in the BCCfield. Such emails, inmost cases, seemto be internal
but are actually leaving the company. The second type consists
of emails sent to several internal recipients and a single external
one. Such emails are usually sent unintentionally to a wrong
external recipient. One or both of these types of events were
found in 28% of organizations examined.
What Type of Data Do Employees Send to
External Recipients or Post Online?
Chart 4-C shows the top data types sent to parties outside
the organization.Credit card information is leading the list,
while source code and password protected files follow.
Is your Organization PCI Compliant?
Employees send credit card numbers over the Internet, their
own and customers’ numbers. They send customer payment
receipts that contain a credit card number in an email
attachment. They reply to a customer email that originally
contained his credit card number in the email’s body.
Sometimes employees even send spreadsheets with customer
data to private email accounts or to a business partner.
Often, credit card number-related incidents are a result of a
broken business process or lack of employees’ attention and
awareness. Such incidents may indicate that the corporate
security policy does not meet the objective of promoting
secure and careful use of corporate resources.
Moreover, sending credit card numbers over the Internet
is not compliant with PCI DSS requirement 4, which
mandates that cardholder data be encrypted during
transmission across open public networks. Failing to
comply with PCI DSS can result in damaged reputation,
lawsuits, insurance claims, cancelled accounts, payment
card issues, and government fines.
In our research, we inspected outgoing traffic from
organizations and scanned the content in all message parts,
including attachments and archives, searching for emails
containing credit card numbers or cardholder data. The
inspections are based on regular expressions, validation of
check digits, and PCI DSS compliance regulations.
36
%
Finance
26
%
Industrial
18
%
Telco
11
%
Consulting
26
%
Other
47
%
Government
Percentage of Organizations per Industry
in which Credit Card Information was Sent
to External Resources
(% of Organizations)
In 28% of Organizations
an Internal Email
was Found to be Sent
to an External
Recipient
Chart 4-B
Source: Check Point Software Technologies
1...,21,22,23,24,25,26,27,28,29,30 32,33,34,35,36,37,38,39,40,41,...50