Gen Y online habits endanger corporate nets

A recent survey by network equipment provider Cisco Systems Inc. indicates that Canada’s highly Web connected Generation Y workforce has a serious disconnect with corporate IT security policies.

While 34 per cent of IT professionals say they have policies that forbid workers from using company-owned devices for personal activities as much as two out of three employees say they “don’t obey the policies all the time,” according to Cisco’s 2013 Annual Security Report.

Cisco surveyed 1,800 college students and workers aged 18 to 30 as well as 1,800 information technology professionals in 18 countries including Canada, the United States, Mexico, The United Kingdom, Russia, Korea, and Japan.

“As Generation Y graduates from college enter the workforce in greater numbers, they test corporate cultures and policies with expectations of social media freedom, device choice and mobile lifestyles that the generation before them never demanded,” Cisco said in a statement. “…Unfortunately our study shows Gen Y workers’ lifestyle are also introducing security challenges that companies never had to address before on this scale.”

RELATED CONTENT

Gen Y: More tech savvy, less security conscious
Gen Y workers: We know all about this IT stuff
Gen Y to CIOs: What we expect from social media

When asked if it was all right for employers to track employees’ activities online if the workers are using company devices, 72 per cent of the Canadian respondents said no and only 28 per cent said it was okay.

Cisco’s surveyed also found what many parents of teenagers have known for the past five years. In Canada 92 per cent of so-called millennials feel the age of privacy is over with some 34 respondents saying they are not worried at all about data about them that is stored by online sites they visit. No less than 57 per cent of the Gen Y respondents said they were comfortable with their personal information being used by retailers, social media sites and other online sites if they benefit from the experience.

According to IT administrators, they know how many employees do not follow the rules but they don’t understand how prevalent the problem is. For example, globally, more than 52 per cent of IT professionals believe their employees obey IT policies, but nearly three out of four or 71 per cent of Gen Y workers say they don’t obey these rules.
When Cisco’s survey on Gen Y online are taken in the light of recent security threat reports by network security firm FortiGuard Labs, a more chilling picture surfaces.
Research done by the security company from October to December last year indicate an increasing activity in mobile malware variants of the Android Plankton ad kit as well as in hacktivist Web server vulnerability scanning, said Guillaume Lovet, senior manager of FortiGuard Labs’ Threat Response Team.

In the third quarter of 2012, FortiGuard Labs detected high activity levels of ZmEu, a tool that was developed by Romanian hackers to scan Web servers running vulnerable versions of the mySQL administration software (phpMyAdmin) in order to take control of those servers. Since September, the activity level has risen a full nine times before finally levelling off in December.

Lovet outline four methods commonly used by attackers:

1. Simda.B: A malware that poses as a Flash update in order to trick users
into granting their full installation rights. Once installed, the malware
steals the user’s passwords, allowing cybercriminals to infiltrate a victim’s email and
social networking accounts to spread spam or malware, access Web site admin
accounts for hosting malicious sites and siphoning money from online payment system
accounts.

2. FakeAlert.D: A fake antivirus malware that notifies users via a convincing-looking
pop-up window that their computer has been infected with viruses, and
that, for a fee, the fake antivirus software will remove the viruses from the victim’s
computer.

3. Ransom.BE78: This is ransomware, prevents users from accessing their personal data.
The infection either prevents a user’s machine from booting or encrypts data on the victim’s machine and
then demands payment for the key to decrypt it.
 
4. Zbot.ANQ: This Trojan is the “client-side” component of a version of the infamous
Zeus crime-kit. It intercepts a user’s online bank login attempts and then
uses social engineering to trick them into installing a mobile component of the malware
on their smartphones. Once the mobile element is in place, cybercriminals
can then intercept bank confirmation SMS messages and subsequently transfer funds to a
money mule’s account.
 
“While methods of monetizing malware have evolved over the years, cybercriminals today seem to be more open and confrontational in their demands for money − for faster returns,” said Lovet.“Now it’s not just about silently swiping passwords, it’s also about bullying infected users into paying.”
 
Lovet also said that in the third quarter of 2012, FortiGuard Labs detected high activity levels of ZmEu, a tool that was developed by Romanian hackers to scan Web servers running vulnerable versions of the mySQL administration software (phpMyAdmin) in order to take control of those servers.

“Today, we live in a blended work-personal life,” according to John Stewart, senior vice president and chief security officer for Cisco’s Global Government and Corporate Security. “The hackers know this and the security threats that we encounter online such as embedded Web malware while visiting popular destinations like search engines, retailers and social media sites and smartphone tablet apps no longer threaten only the individual, there also threaten the organizations by default.”

 



Related Download
Addressing Advanced Email Threats: Protect Your Data and Brand Sponsor: Cisco
Addressing Advanced Email Threats: Protect Your Data and Brand
Email has evolved from a tool used primarily by technical and research professionals to become the backbone of corporate communications.
Register Now