With more and more reports emerging regarding the loss of sensitive data, a security study has identified the most common mistakes made by staff which can lead to data leaks.
The Cisco global security study was carried out by InsightExpress, and it surveyed a 1,000 IT professionals and 1,000 employees across ten different countries (US, the UK, France, Germany, Italy, Japan, China, India, Australia and Brazil), in order to evaluate security and data leakage implications, as more and more businesses shift from centralised offices, to more distributed and remote workforces (a process that Cisco is heavily backing).
"There were a couple of surprises in the study," admitted John N. Stewart, chief security officer at Cisco during a video briefing to discuss the study. "Even in today's day and age, you can surprised by the most basic security lapses."
"Companies must realise that in a down economy, people are busy providing for their families first, then their communities, and then their businesses," he added. He suggested that companies should have funds available to help staff in financial difficulties, to remove the temptation for them to steal company secrets for profit.
The study identified a number of key behavioural findings, none of which will come as much of a surprise for today's IT professionals.
One of the most common issues is from users adjusting their security settings. No real surprise here, but the study found one in five staff have altered their security settings on their work machines so as to access unauthorised websites. When asked why, 52 percent said they simply wanted to access the site, whereas a third said it was "it's no one's business".
And users it seems are still accessing unauthorised applications, with seven out 10 IT professionals admitting that staff accessing unauthorised applications and websites (such as social media sites), has resulted in as many as half of their companies' data loss incidents.
And an age old problem still occurs with alarming regularity, after a worrying 24 percent of staff admitted to verbally sharing sensitive corporate with outsiders, including friends, family and even strangers. When asked why, some of the most common answers included, "I needed to bounce an idea off someone", "I needed to vent", and "I did not see anything wrong with it."
Other bad behaviour identified include unauthorised network/facility access (two of five IT professionals said they had dealt with staff accessing unauthorised parts of a network or facility in the past 12 months); sharing corporate devices (44 percent of staff said they share their work devices with other non-work people, without supervision); and two out three staff admit to using computers daily for personal use (including music downloads, shopping, banking, blogging etc).
And even basic security precautions are being ignored, with at least one in three employees leaving their computers logged on and unlocked when they're away from their desk (and they also tend to leave laptops on their desks overnight, sometimes without logging off).
Other bad behaviour includes one in five staff storing their system logins and passwords on their computer (or writing them down and leaving them on their desk, in unlocked cabinets, or pasted on their computers).
With the data losses on the rise from missing USB sticks, it is no surprise then that 22 percent of staff admit they carry corporate data on portable storage devices outside of the office.
Finally, Cisco also sees a problem with a process called tailgating, whereby a person closely follows a staff member into the office without being challenged for identification. 13 percent said they allow non-employees to roam around offices unsupervised.
As expected, Cisco recommends the following best practices for preventing data loss:
- Know your data; Manage it well: Know how/where it's stored, accessed, used.
- Treat data as if it's your own - Protect it like it's your money: Educate employees how data protection equates to money earned and money lost.
- Institutionalise standards for safe conduct: Determine global policy objectives and create localised education tailored to a country's culture and threat landscape.
- Foster a culture of trust: "Employees need to feel comfortable reporting incidents so IT can resolve problems faster.
- Establish security awareness, education and training: Think globally, but localise and tailor programs for regions based on threat landscape and culture.
"Data protection requires teamwork across the company. It's not just an IT job anymore," Stewart said.