When office workers are asked to self-report anonymously on their work-related security behaviors and attitudes, a snapshot emerges that may make IT workers cringe.
The research, conducted in on-the-street surveys in Boston and Washington by RSA in November and published in a report titled "The Confessions Survey," (PDF) found that 53 percent of respondents who work for the private sector access work e-mail via a public computer such as at an Internet café, airport kiosk, hotel or the like. The same is true of 51 percent of government employees.
Sixty-eight percent of enterprise workers leave work carrying a mobile device—such as a laptop, smart phone or USB flash drive—that holds sensitive job-related information, including customer data, Social Security numbers or company financials. That's also true for 58 percent of government workers.
Click here to read more about why most data breaches are the result of human errors.
It's not that these people work for organizations that don't have security policies or training. In fact, 97 percent of those surveyed who work for the government report that they're familiar with IT security policy, as are 81 percent of enterprise workers. Of government workers, 92 percent say that their employers provide security best practices training, as do 69 percent of enterprise workers.
Rather than ignorance regarding proper security procedures, what the research reflects is that a substantial number of users—35 percent enterprise, 34 percent government—feel that they have to take security shortcuts to get their jobs done.
Unfortunately, that weakens security profiles. "These 'innocent' insiders can unwittingly initiate data exposures of extraordinary scope and cost through their ordinary, everyday behavior, whether through carelessness, working around security measures or following inadequate security policies," the report says.
Office workers confessed to these additional security sins, any of which could lead to data exposure:
Access work e-mail via a public wireless hot spot: 64 percent enterprise, 37 percent government.
Lost a laptop, smart phone or USB flash: 8 percent enterprise, 8 percent government.
Send work documents to a personal e-mail address so as to access from home: 61 percent enterprise, 68 percent government.
Internal wireless network for use in conference rooms and guest offices left open for use without login: 19 percent enterprise, 0 percent government.
Have held a secured door open for someone at work whom they didn't recognize: 32 percent government, 35 percent enterprise.
Have forgotten access card/key and been let into the building by someone that didn't know them: 42 percent enterprise, 34 percent government.
Have noticed an unfamiliar person working in an empty office in their area of the building: 21 percent enterprise, 41 percent government.
Have asked for identification or otherwise reported the unknown person: 28 percent enterprise, 63 percent government.
Have switched jobs internally and still had access to accounts or resources that they no longer needed: 33 percent enterprise, 34 percent government.
Have stumbled into an area of the corporate network to which they believed they should not have had access: 20 percent enterprise, 29 percent government.
It's not just end users to blame but also human resources departments or IT departments, or both, that are falling short on a number of fronts: not properly assigning user access rights or keeping them up to date, for example.
Read more here about how a Salesforce.com employee was duped into giving a customer list to a phisher.
Some suggestions from RSA:
- Check actual user behavior against policy. Adapt security policies so they're as convenient as possible for end users while still minimizing risk.
- For remote access, require two-factor authentication for VPNs and Web mail, not just a user name and password. Also, craft policy around data loss in mobile environments. For example, encrypt data on laptops instead of just requiring a user name and password, which are easily cracked.
- If you don't have sensitive data, you won't lose it and you don't have to secure it. RSA recommends automatic controls and enforcement for allowing, auditing, discarding, quarantining or encrypting data transmission, based on sensitivity.
- Physical access controls aren't enough to protect data given humans' propensity to do things like hold the door open for each other. They should be coupled with logical access controls, thus protecting data with two-factor authentication for internal wireless networks, desktops, domains, ports and applications.
- Make prompt changes in role-based access for role changes, including those of contractors and consultants.
- Keep a tight rein on insider credentials, including user names and passwords, one-time passwords and digital certificates. Also, keep watch lists for unauthorized access attempts.