Data loss is most often blamed on ingenious hackers and technical complexity within enterprise businesses, but many incidents are instead related to faulty user behavior and careless mistakes, according to a new report published by networking giant Cisco.
According to the report issued on Tuesday, which is based on interviews carried out with 2,000 workers and IT specialists located in 10 different countries, behavioral risks may play as great, if not more of a role in leading to data loss than any other issue.
The study, conducted by InsightExpress for Cisco, also found that adherence to data-related policies and practices also vary greatly in different areas of the globe.
One of the biggest problems related to corporate data loss is the growing ability for workers to carry data out of protected environments on their laptops and mobile devices, as well as the increased use of social networking sites and other Web 2.0 platforms, the report contends.
“As the reliance on centralized offices shifts to distributed business models and remote workforces, lines are blurring between work life and personal life,” the researchers wrote. “This operational shift for businesses and the lifestyle overlap for employees are driven in large part by the proliferation of collaborative devices and applications that are used for both purposes, including mobile phones, laptops, Web 2.0 applications, video and other social media.”
The report specifically involved users and IT pros in the United States, United Kingdom, France, Germany, Italy, Japan, China, India, Australia, and Brazil.
Across the board the theme seems to be that many users don’t feel beholden to their employers’ rules and regulations, or simply don’t care to follow them.
Among the most intriguing findings of the survey were findings that:
-One of five employees interviewed altered their computer’s security settings to bypass IT policies so that they could access unauthorized Web sites. This trend was most popular in emerging economies including China and India. When asked why, 52 percent of respondents said that they simply wanted to access the site and a third said it was no one’s business which sites they access.
-Seven of 10 IT professionals said that employees’ access of unauthorized applications and Web sites (e.g. unsanctioned social media, music downloads, e-commerce) resulted in as many as half of their companies’ data loss incidents. This was most common in countries like the United States (74 percent) and India (79 percent).
-In the past year alone, two of five IT pros dealt with employees accessing unauthorized parts of a network or facility. This was most prevalent in China, where almost two of three respondents encountered the issue. Of those who reported this issue globally, two-thirds encountered multiple incidents in the past year, and 14 percent encountered this issue monthly.
-Roughly 24 percent of employees admitted verbally sharing sensitive information to non-employees, such as friends, family, or even strangers. Most of those respondents said they either wanted to bounce an idea off of someone or that they didn’t see anything wrong with their behavior.
-Some 44 percent of the employees surveyed share their work devices with others, such as non-employees, without supervision.
-Almost two of three employees admitted using work computers daily for personal use. Popular activities included music downloads, shopping, banking, blogging, and participating in chat groups. Half of the employees use personal e-mail to reach customers and colleagues, but only 40 percent said this was authorized by IT.
-At least one in three employees leave their computers logged on and unlocked when they’re away from their desk. These employees also tend to leave laptops on their desks overnight, sometimes without logging off.
-One in five employees store system logins and passwords on their computer or write them down and leave them on their desk, in unlocked cabinets, or pasted on their computers. In some countries, such as China (28 percent), employees reported storing logins and passwords to personal financial accounts on their work devices.
-Some 22 percent of employees carry corporate data on portable storage devices outside of the office. This is most prevalent in China (41 percent).
So it would seem that rather than installing complex DLP system or encryption platforms, what would make a huge difference would be if more organizations enforced their user policies a bit more aggressively. Or a lot more aggressively, especially in China!
“We did not conduct this research to take a ‘doomsday approach,” John Stewart, CSO at Cisco, said in the report. “Security is ultimately rooted in human behavior, so businesses of all sizes and employees in all professions need to understand how behavior affects the risk and reality of data loss — and what that ultimately means for both the individual and enterprise.”
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to [email protected].