Cisco: IT Managers Neglect Employee Security Threat

While enterprises may be on top of their security practices for the most part, data leakage as a result of end user misuse and abuse is something that might very well be flying under the radar.

According to a newly released global study by Cisco (Nasdaq: CSCO), "The Challenge of Data Leakage for Business and Employees Around the World," employees are taking numerous risks that could lead to the loss of corporate information.

Personal and Local Matters

The use of corporate technology resources for personal activities is becoming increasingly prevalent as the line between people's personal and work lives continues to blur. The study indicates that nearly eight in 10 end users use their company-issued computer to send and receive e-mails through a personal e-mail account on a regular basis. In addition, roughly half use their work computer for personal research and online banking.

The most interesting numbers coming out of the survey of 1,009 end users and 1,011 IT decision makers in 10 countries is the disparity in data security practices from country to country. In China, Brazil and India, for example, a significantly larger proportion of end users has altered the security settings on their company-issued laptop (42 percent, 26 percent and 20 percent, respectively). By way of comparison, the U.S. sits at a mere 2 percent.

This discrepancy could be attributed to the fact that these countries have been experiencing a significant ramp up in the knowledge worker industry over the past five years, notes Marie Hattar, vice president of network and security solutions for Cisco in San Jose, Calif. "There is more outsourcing of services and as a result, more Internet use. Given that this is fairly recent, they weren't there nine years ago when the rest of us were hit by Blaster, Nimda or Code Red viruses."

Open Doors and Open Minds

Physical access to networks and premises is another issue that deserves attention. About four in 10 IT decision makers have had to deal with an employee gaining access to an unauthorized physical or network area. The same holds true for vendors or partners visiting sites.

Users are also more cavalier with their IT resources. More than four in 10 end users have allowed someone else to use their company-issued computer without supervision.

The risk can even extend to conversations between co-workers and family members. More than four in 10 end users have shared sensitive information about their job with others.

"Companies tend to think that data loss is all about network security," Hattar says. "When you think of data loss, you have to look at it as anywhere someone can potentially take information away. If you want to develop a holistic strategy, you have to include the physical security [of server rooms and computer use] and personal behavior."

Bad Habits to Break

For the most part, user habits that can lead to data loss are done without a second thought. Approximately two-thirds of respondents have done one or more activities that threaten corporate security on some level. At the top of the list is stepping away from a computer without logging off or shutting it down and/or leaving a computer turned on overnight.

Other potentially risky activities on the list include carrying corporate data on portable storage devices outside the office; storing computer login/password information on your computer at work; sharing computer login/password information with fellow workers; and throwing away corporate paperwork without shredding it.

The risks are also increasing as we deal with a rapidly growing mobile workforce:

• Only half of remote workers continually monitor their surroundings to make sure no one is looking at their work
• More than half do not take any special precautions to ensure security and privacy while working in a public setting
• Almost half transfer work documents to and from their home computer

The Learning Curve

Dealing with data loss is only going to be more challenging in today's networked world, Hattar says. "All of a sudden there are a lot more collaboration tools and thousands of entry points to corporate assets. The explosion in social networking is only adding to this, as employees become much more open and less private about anything. That's why they need to be brought up to speed on good security practices."

Social engineering is creating one of the biggest gaps in network security, so the need to look at behavior as well as technology is critical, said Michael Hall, chief information security officer for Drivesavers in Novato, Calif., a data recovery firm.

"IT departments are very proficient at defining their network architecture. One telling thing that this study shows, however, is the lack of communication with end users. You can hedge your bets by putting restrictions on laptops and manipulating hardware to stop some [bad habits] but you can't control what people say to other people. The only thing you can do is educate them, and have security training policies and procedures in place to create constant awareness."