Far-Flung Danger

Remote workers still imperil enterprise security with sloppy hookups

Remote workers continue to expose their employers to a wide range of IT threats by using poor laptop etiquette and connecting to corporate systems using nontrusted wireless links, according to a report sponsored by Cisco Systems.

In a study conducted for Cisco by InsightExpress, market researchers interviewed 1,000 remote workers in 10 countries and found that many continue to use poor judgment in adhering to security policies despite having been warned of threats lurking on the Web and wireless networks.

While a vast majority of remote workers interviewed in the United States and elsewhere said theyre aware of security issues while working outside the office, far fewer said they aggressively police their own computing activity to limit exposure to threats.

For instance, while 68 percent of the U.S. workers interviewed said they had been warned about risky laptop behavior, 30 percent said they still use their company-issued computers for personal tasks, with 46 percent admitting to using their computers to shop at e-commerce sites.

Although most users had been informed of the threats of e-mail-borne viruses after the outbreaks of the last several years, some 24 percent of the U.S. users said they still open unknown messages, and 19 percent said they allow someone else to use their work computer.

Showing a lack of concern over unfamiliar wireless networks and the inherent dangers of connecting to such systems, 12 percent of those surveyed in the United States said they still connect to the Web and corporate systems using unrecognized wireless links.

Results for the U.S. workers interviewed were fairly consistent in all categories with those for remote workers in places such as Germany, the United Kingdom and India, but users in some nations—China, in particular—remain even less concerned about employing stricter security habits.

While 78 percent of Chinese respondents said they are mindful of security—the highest total for any country in the survey—some 57 percent said they use their devices for personal use, with 54 percent using their work PCs to shop online.

Another 57 percent of Chinese users said they open unknown e-mail messages, 42 percent allow others to use their computers and 19 percent admit to using unknown wireless Internet access.

"Actions speak louder than words, and while people are saying one thing, their activities are something else altogether," said Bruce Murphy, vice president of advanced services at Cisco, in San Jose, Calif. "Clearly, people are engaging in behavior that contradicts what they know about security because they fail to understand that they are actually putting their companies at a great risk for malware and other attacks."

Some 66 percent of U.S. workers re--sponding to the survey said they regularly fail to comply with safe remote PC or network usage policies because their companies do not mind the activities they pursue. Twenty-seven percent said they use their company PCs to conduct shopping or other non-work-related activities because the devices are the most secure computers they have access to.

Part of the problem, Murphy said, is that many companies release boilerplate security policies that dont explicitly warn users about some risky behaviors, or they adopt guidelines that rule out so many common PC uses that people ignore the recommendations.

"In general, establishing policies for policies sake causes an overreaction by end users. The constructive path is to get users to understand why they need to modify [the way they] behave, and not just [to issue] some draconian request for restrictions," Murphy said.

"The more people understand about why they need to behave in a certain way, the more likely they will be to adhere to a policy," he said. "Companies need to understand that they cant just continue to come at this problem from a negative-reinforcement perspective."

Workers Behaving Badly

Despite an admitted knowledge of security policies, many remote workers in the United States still put themselves and their employers at risk.


* Cognizant of remote security policies


* Use company PC for nonwork activities


* Use company PC for personal shopping


* Open unknown e-mail messages


* Allow others to use company PC


* Use unfamiliar wireless networks

Source: Cisco/InsightExpress