Online Privacy Threatened, but Risky Behaviors Persist: ISACA

Web users still make risky decisions when using the Internet, while the BYOD trend continues to pose major security challenges for IT departments.

Many U.S. consumers persist with actions and attitudes that put their online privacy and security at risk, despite the fact that 90 percent of those who use a computer, tablet PC or smartphone for work activities feel their online privacy is threatened, according to a survey the nonprofit IT association ISACA.

The organization’s 2012 IT Risk/Reward Barometer, which looked at online privacy for the first time, found consumers mistrust corporations more than they do fellow Internet users. While more than half (53 percent) feel that sharing information online has become riskier over the past year, respondents to the annual survey reported engaging in potentially risky online actions.

Nearly two-thirds (65 percent) of respondents said they do not verify the security settings of online shopping sites, while 36 percent have clicked on a link on a social media site from their work device and 19 percent used their work email address for personal online shopping or other non-work activities.

When asked to select the greatest threats to their online privacy, they chose a company’s misuse of personal information they supplied online to purchase or download an item (26 percent), inadequate privacy policies on social networking sites (13 percent), and a company’s use of cookies to track their Web activities (10 percent).

"As people share more intimate details about themselves online, they are more likely to be victims of targeted fraud and social engineering attacks," ISACA advisor John Pironti said. “The [report] shows a significant gap between what people believe and how they act. Despite considerable concern about their online privacy and security, consumers are simply not willing to give up behaviors that IT departments find to be high-risk. Enterprises need to balance employee reward and IT risk when it comes to mobile connectivity.”

The study also focused heavily on the burgeoning bring your own device (BYOD) trend and how the mix of employee-owned devices and access to corporate networks can cause security headaches for IT departments.

A third of respondents said they would be just as inclined to use their personal device for work purposes even if they knew their employer could track their online activity, while 15 percent have used a location-based mobile application. Twelve percent said they stored work passwords on their personal device and 11 percent have used a cloud service like Dropbox or Google Docs for work documents without their company’s knowledge.

Half of the IT professionals surveyed in a separate ISACA report said the risk of BYOD outweighs the benefits, yet year over year, there has been a five-point percentage drop in enterprises that prohibit BYOD (down from 28 percent to 23 percent).

“Companies that embrace BYOD should implement security awareness training,” ISACA strategic advisory council member and vice president at CA Technologies Robert Stroud said. “ISACA recommends an embrace-and-educate approach as the best way of getting the benefits of BYOD while mitigating the associated risks.”