Products & Releases

Survey: Highly Sensitive Information Sent Via Email Lacks Critical Security Controls

For 80% of respondents, the only thing standing between an attacker and this email communication is a username and password, according to PhoneFactor
OVERLAND PARK, KANSAS (June 25, 2012) – PhoneFactor, the leading global provider of phone-based multi-factor authentication, today announced telling new survey data regarding the vulnerability of company email systems. The majority of respondents reported that highly sensitive information about their corporate strategy or customer base is communicated via email. For 80% of respondents, the only thing standing between an attacker and this email communication is a username and password.

When the personal email accounts of Mitt Romney and Sarah Palin were hacked it made the news, but the vast majority of people don’t believe their personal or business email is under attack. Cases like the decade-long monitoring of email belonging to Nortel executives prove that email communication is in fact incredibly valuable and therefore highly targeted by cybercriminals. To test the point, we surveyed more than 400 IT professionals about the types of information sent via their company email systems and what they are doing to secure access to it. Here are the results:

Risk: Nearly three-quarters (73%) of respondents consider the data they transmit in company email to be highly sensitive.

Survey respondents indicated the following proprietary documents were likely sent via their company email: Proprietary Company Information – Business Process and Corporate Strategy (59%) Sales Communications – Sales Quotes and RFPs (54%) Sensitive Information About Customers (49%) Intellectual Property – Product Roadmaps and Designs (48%) Company Financials – Budgets and Sales Forecasts (46%)

Larger companies also reported HR Information, such as compensation plans and reviews, (47%) and Individual Employee Information, such as social security numbers and personal data, (38%) as being commonly sent through email.

The information their corporate executives transmit is considered even more sensitive, including material like: Budgeting Plans/Details (76%) Product Roadmap Plans (63%) Sensitive Compensation Issues (47%) Potential Layoffs and Reorganizations (45%) M&A Activities (33%)

If information from a senior executive was compromised, respondents surmised the top three impacts to their business would include: Public Embarrassment/Hit to Company Reputation (59%) Lost Trust Among Customers (54%) Lost Trust Among Employees (49%)

The results were slightly different in healthcare where overall impacts were much higher and Legal Fines/Penalties (53%) were also a key concern, as well as in government where Disruption to Workflow (36%) was a top concern.

For larger organizations, Public Embarrassment was seen as a potential impact for 73% of respondents with Lost Trust Among Customers at 57% and Lost Trust Among Employees at 61%. For nearly one-third (30%) of respondents, these impacts translated into potential Lost Shareholder Value.

Email Security Confidence: An alarming 74% of respondents were either Not at All Confident or only Somewhat Confident that their existing security precautions are adequate to prevent an attacker from penetrating their company email system. Further, 80% said that that if a bad guy obtained an employee’s username and password, he could gain access to at least some users’ accounts.

Role of Two-Factor Authentication: When asked if two-factor authentication is critical to prevent unauthorized access to company email, nearly three-quarters (74%) felt it was at least somewhat critical, with 47% rating it as Very or Extremely Critical. However surprisingly, only 26% of respondents currently require two-factor authentication to secure remote access to company email for all of their users.

Exposure: With individuals accessing business email from a growing number of remote access points, the exposure for companies is significant and growing. Use of personal smartphones and/or tablets (70%), referred to as BYOD, is nearly tied with access from company supplied mobile devices (67%). Most companies (80%) allow access from personal desktop and/or laptop computers. Less than 2% of respondents reported that their employees do not access company email from outside the office.

Email Security Importance: There seems to be a heightened awareness of the need to secure email systems. Nearly all respondents (96%) found it important to secure access to company email, with 71% rating it Very or Extremely Important. Additionally, 41% have elevated the importance of email security in the past 12 months, and one-third (33%) are planning to add additional security controls to company email in the next year.

As indicated by these survey results, organizations clearly understand the risk they face regarding remote access to company email as well as the importance of securing it. However, a large majority do not feel confident that they have adequate protections in place. Companies are moving to enhance security procedures in what they see as an increasingly unsafe environment. User friendly security solutions that are easy for the IT department to manage, like PhoneFactor’s multi-factor authentication, are indicated to be a required piece of this complex puzzle.

Bob Morrison, Security Engineer at Fredrikson & Byron, P.A. and a PhoneFactor client, agrees. “Our attorneys and staff use both company issued and their own devices to access a wealth of information via remote access VPN and Citrix® XenApp, including company email. They know that it would be extremely difficult to gain credibility if any customer information was inadvertently intercepted, and are happy to use PhoneFactor’s simple solution. Multi-factor authentication is critical to any company’s comprehensive remote access plan.”

Watch Video: Download Full Survey Results: View Related Charts: Could a Compromised Username and Password be used to Access an Employee’s Email? Types of Sensitive Company and Customer Information Sent via Email Types of Sensitive Information Emailed by Company Executives Impacts if an Executive’s Email was Compromised

About PhoneFactor

PhoneFactor is a leading provider of multi-factor authentication. The company’s award-winning platform uses any phone as a second form of authentication. PhoneFactor’s out-of-band architecture and real-time fraud alerts provide strong security for healthcare, enterprise, banking, and website applications. It is easy and cost effective to set up and deploy to large numbers of geographically diverse users. Learn more at or follow PhoneFactor on Twitter @phonefactor.