In a survey commissioned by Cisco, just over one-half of respondents said they altered company security settings even though it was against company policy.
Employees worldwide are engaging in risky behavior that results in personal as well as corporate data leakage, says a white paper [pdf] published by Cisco.
Insight Express, a third-party market research firm, surveyed [pdf]100 end users and 100 IT professionals from 10 countries chosen by Cisco for their differing social and business cultures.
Cisco says that data security has become more precarious as storage and compression technology has grown more muscular. For instance, new removable 64-gigabyte removable devices allow full harddrives to be copied "onto a device the size of a pack of gum," says the white paper. "These devices make it easier for employees, partners, or data thieves to access, move, or lose intellectual property or customer data."
But in the end, the problem really resides in employee behavior here, there, and everywhere.
Seventy-eight percent of employees access their personal e-mail accounts using their business computers, double the amount of authorized use. Two-thirds of employees use their business computers for personal reasons everyday—such as paying bills online, instant messaging, and shopping online— while 83 percent say they use their business computers for personal reasons at least sometimes. IT professionals surveyed say that employee use of unauthorized applications resulted in approximately half of their data loss incidents.
Certain behaviors occur more often in some countries as opposed to others. Employees in India routinely alter IT security settings so they can access Web sites blocked by the company. Workers in Brazil have a penchant for downloading music on business computers. French workers, however, were found to be the most derelict. Only 16 percent of the French end users surveyed say they adhere to security policies all the time.
Maybe the most shocking thing researchers found was password misuse. Eighteen percent of those polled shared passwords with co-workers. That number shot up to 25 percent in China, India, and Italy. Twenty-eight percent of Chinese workers stored their passwords to their personal financial accounts on their business computers.
The paper says IT professionals have a hard time instituting a centralized security policy as more and more workers labor from home or while on the road. And as the white paper reports, many workers simply don't care what their company's IT security policies are. When InsightExpress asked end users why they altered security settings, just over one-half of people surveyed answered, "Because I wanted to visit that Web site regardless of the company's policy."
Cisco recommends that IT professionals take a comprehensive and holistic approach to securing their companies data based on how their information is stored, how it is accessed, and who uses it, combined with knowledge of what abuses or threats frequently arise at that particular location. From there, IT can craft security policies, educate employees on risky behaviors, and then make the appropriate investment in security technology.
But there is also an intangible to any well-crafted security policy: trust.
"If IT locks everything down and doesn’t give users any freedom then users will work harder to break the rules or deviate from policy," Fred Kost, director of security solutions at Cisco told InternetNews.com. "So there is a balance there and keeping users educated and building up the trust is critically important."
"The ultimate goal," according to Cisco, "is for everyone, at every level, to believe that corporate security is critical, understand the policies and procedures for achieving a secure environment, and the implement the necessary activities every day."