One in five employees alter IT security settings

Flying can be more than a means of getting from A to B. It can also be educational if your seat-mate is careless while working on a laptop.

Patrick Gray, senior security strategist at Cisco Systems, for example, recalls what could have been an educational trip this month on a trip across the U.S. “I was on an airplane flying out to Salt Lake City (Utah) last week sitting next to a consultant with one of the final four consultancies doing a write-up on a Fortune 10 company,” he recalled in an interview. “Gee, it was great stuff we could probably use at Cisco if I were a nefarious kind of a guy.”

The former FBI and National Security Agency staffer has no doubt what he could read was sensitive – it had “Confidential” written all over it.

For years untold trees have died to carry warnings about the need to ensure corporate data is protected. Yet even today the message isn’t getting through, judging by the regular news reports about PCs stolen from offices and cars with gigabytes of unsecured personal information and online break-ins of databases.

To get an idea of why data is still being lost Cisco released a survey Tuesday it paid for earlier this year which questioned 1,000 employees and 1,000 IT professionals in 10 countries – the U.S, Britain, France, Germany, Italy, Japan, China, Brazil, India and Australia – to find out why and see if there are cultural differences in how people practice security.

Some of the results may not be surprising. For example, almost two of three employees admitted using work computers daily for personal use, such as downloads, shopping and e-mail.

But consider these findings:

-one in five employees said they altered security settings on work devices to bypass IT policy so they could access unauthorized Web sites;

-seven of 10 IT professionals said employee access of unauthorized Web sites and applications (including online shopping sites) ultimately resulted in as many as half of their companies’ data loss incidents;

-in the past year, two of five IT professionals came across staffers accessing unauthorized parts of a network or facility. Two-thirds had to deal with this danger more than once in the past year. Fourteen per cent said it happens monthly;

-24 per cent of employees said they have verbally shared sensitive information to non-employees, including strangers;

-at least one in three employees leave computers logged on and unlocked when away from their desk. They also tend to lave laptops on their desks overnight, sometimes without logging off;

-one in five employees store system logins and passwords on their computers or leave them written down in plain sight on their desks.

What Gray’s seat-mate should have had on his laptop was a security screen so someone looking at it from a side angle can’t read. Of all people surveyed, only 23 per cent of respondents said they use such a screen – and only six per cent in Germany.

The survey suggests some countries, usually industrialized nations, are doing a better job than others – but not necessarily. For example, 22 per cent of German employees surveyed said that vendors or partners are allowed to roam around their organization’s offices unsupervised, compared to a survey average of 13 per cent.

In a briefing with IT World Canada just before the survey results were announced, Gray and Marie Hattar, Cisco’s vice-president of network systems and security solutions, said the study suggests managers still need to educate staffers about safe computing behaviour.

“Many people when they think about data loss or data leak prevention, they always focus on protecting the network,” said Hattar, whose company sells a diverse line of network protection products, “and while that’s absolutely important you’ve got to look beyond the network. It’s the verbal (behaviour), it’s the physical it’s the visual. You have to make sure you put in a holistic strategy.” It doesn’t help that many organizations still have departments that don’t talk to each other, she added, thereby constraining organizations from having cross-company security policies.

“We’re doing a great job at the perimeter” with firewalls, intrusion detection and anti-spam, said Gray. “But where we’re doing a terrible job is within our own networks and perhaps what’s going outbound from our networks.”

“This survey tells me that people are getting away with a lot of things technically that we probably could stop.”

“I was in an office of a Fortune 10 company in Instanbul and went into the copy room to make a copy of a document and found that company’s marketing strategy for 2007 through 2012 on top of the copy machine,” Gray continued. “Very sensitive data, and right behind me came a gentleman on the cleaning crew. I’m sure he doesn’t make a lot of money, but that document was there for the taking, which would have given him a lifetime of bonuses if he’d have stuffed it into the trash bag he had with him and carry it out.”

Hattar denied Cisco did the study as a defensive measure to deflect possible complaints that its products, and those of other network security vendors, aren’t up to the job. “The problem is most people think of this as a technology issue,” she said, and Cisco wanted to understand the causes of data leakage.

She also disagreed with a suggestion the study shows nothing new about risky employee behaviour that wouldn’t have been in an identical study done five years ago. Some countries, such as the U.S., showed better security behaviour that some emerging nations. Those countries “need to understand that there are certain risks involved from a security perspective.”