End Users Lax With Company Data

A new security study shows end users from around the world treat data and corporate systems with little respect for the potential consequences. When it comes to corporate data, which is actually often customer data, there's little regard for security.I didn't find much solace in the state of IT security after reading Dark Reading's Tim Wilson's story, "Study: Routine Misbehavior by End Users Can Lead to Major Data Leaks," which underscores the risk associated with the mixing of consumer devices and corporate data. It also reveals the near total disregard of corporate data by many employees: "More than half of end users have changed the security settings on their company-issued laptop to view restricted Web sites, even though they knew it was against company policy. About 35% say it is "none of the company's business" if they have changed the security settings on their computer, the study says.

"There are still a lot of users out there who see their company PC as 'their' machine, and they feel they should be able to do what they want on it," says Cisco security expert Christopher Burke. "There is still a lot of user education that needs to be done."

"

There's really not much that can be said to this absurdity. Employees with this kind of attitude toward systems they don't own, which hold and provide access to data their company is responsible to protect, deserve to have their systems locked down. By locked down, I mean as in if the application isn't on a strictly-enforced white list, it won't run. Frankly, I'd fire any employee, on the spot, for changing endpoint security settings on systems they don't own.

There's not much I can add to the highlights of this report. Yes, this is a vendor-funded research report, which should always raise skepticism, but if this study reflects reality, it's cause for concern. Each bullet point speaks for itself.

"
1. Altering security settings on computers: One of five employees altered security settings on work devices to bypass IT policy so they could access unauthorized Web sites. This was most common in emerging economies like China and India. When asked why, more than half (52%) said they simply wanted to access the site; a third said, "it's no one's business" which sites they access.



2. Use of unauthorized applications: Seven of 10 IT professionals said employee access of unauthorized applications and Web sites (e.g., unsanctioned social media, music download software, online shopping venues) ultimately resulted in as many as half of their companies' data loss incidents. This belief was most common in countries like the United States (74%) and India (79%).


"