Nearly three out of four or 71 per cent of Gen Y workers say they don’t obey IT security rules, according to a recent survey by Cisco
By: nestor e. arellano Computing Canada (04 Feb 2013)
A recent survey by network equipment provider Cisco Systems Inc. indicates that Canada’s highly Web connected Generation Y workforce has a serious disconnect with corporate IT security policies.
While 34 per cent of IT professionals say they have policies that forbid workers from using company-owned devices for personal activities as much as two out of three employees say they “don’t obey the policies all the time,” according to Cisco’s 2013 Annual Security Report.
Cisco surveyed 1,800 college students and workers aged 18 to 30 as well as 1,800 information technology professionals in 18 countries including Canada, the United States, Mexico, The United Kingdom, Russia, Korea, and Japan.
“As Generation Y graduates from college enter the workforce in greater numbers, they test corporate cultures and policies with expectations of social media freedom, device choice and mobile lifestyles that the generation before them never demanded,” Cisco said in a statement. “…Unfortunately our study shows Gen Y workers’ lifestyle are also introducing security challenges that companies never had to address before on this scale.”
When asked if it was all right for employers to track employees’ activities online if the workers are using company devices, 72 per cent of the Canadian respondents said no and only 28 per cent said it was okay.
Cisco’s surveyed also found what many parents of teenagers have known for the past five years. In Canada 92 per cent of so-called millennials feel the age of privacy is over with some 34 respondents saying they are not worried at all about data about them that is stored by online sites they visit. No less than 57 per cent of the Gen Y respondents said they were comfortable with their personal information being used by retailers, social media sites and other online sites if they benefit from the experience.
According to IT administrators, they know how many employees do not follow the rules but they don’t understand how prevalent the problem is. For example, globally, more than 52 per cent of IT professionals believe their employees obey IT policies, but nearly three out of four or 71 per cent of Gen Y workers say they don’t obey these rules.
When Cisco’s survey on Gen Y online are taken in the light of recent security threat reports by network security firm FortiGuard Labs, a more chilling picture surfaces.
Research done by the security company from October to December last year indicate an increasing activity in mobile malware variants of the Android Plankton ad kit as well as in hacktivist Web server vulnerability scanning, said Guillaume Lovet, senior manager of FortiGuard Labs' Threat Response Team.
In the third quarter of 2012, FortiGuard Labs detected high activity levels of ZmEu, a tool that was developed by Romanian hackers to scan Web servers running vulnerable versions of the mySQL administration software (phpMyAdmin) in order to take control of those servers. Since September, the activity level has risen a full nine times before finally levelling off in December.
Lovet outline four methods commonly used by attackers:
1. Simda.B: A malware that poses as a Flash update in order to trick users into granting their full installation rights. Once installed, the malware steals the user’s passwords, allowing cybercriminals to infiltrate a victim’s email and social networking accounts to spread spam or malware, access Web site admin accounts for hosting malicious sites and siphoning money from online payment system accounts.
2. FakeAlert.D: A fake antivirus malware that notifies users via a convincing-looking pop-up window that their computer has been infected with viruses, and that, for a fee, the fake antivirus software will remove the viruses from the victim’s computer.
3. Ransom.BE78: This is ransomware, prevents users from accessing their personal data. The infection either prevents a user’s machine from booting or encrypts data on the victim’s machine and then demands payment for the key to decrypt it.
4. Zbot.ANQ: This Trojan is the "client-side" component of a version of the infamous Zeus crime-kit. It intercepts a user’s online bank login attempts and then uses social engineering to trick them into installing a mobile component of the malware on their smartphones. Once the mobile element is in place, cybercriminals can then intercept bank confirmation SMS messages and subsequently transfer funds to a money mule's account.
"While methods of monetizing malware have evolved over the years, cybercriminals today seem to be more open and confrontational in their demands for money − for faster returns,” said Lovet.“Now it's not just about silently swiping passwords, it's also about bullying infected users into paying."
Lovet also said that in the third quarter of 2012, FortiGuard Labs detected high activity levels of ZmEu, a tool that was developed by Romanian hackers to scan Web servers running vulnerable versions of the mySQL administration software (phpMyAdmin) in order to take control of those servers.
“Today, we live in a blended work-personal life,” according to John Stewart, senior vice president and chief security officer for Cisco’s Global Government and Corporate Security. “The hackers know this and the security threats that we encounter online such as embedded Web malware while visiting popular destinations like search engines, retailers and social media sites and smartphone tablet apps no longer threaten only the individual, there also threaten the organizations by default.”