Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Remote Workers Still Living Dangerously, Cisco Study Says

False sense of security leads many users to break company policies

If it seems that -- despite your company's best efforts to educate users about security -- users are actually behaving less responsibly, don't panic. Your organization isn't the only one.

In fact, Cisco Systems Inc. today is releasing the results of a disturbing third-party study it commissioned over the summer which proves conclusively that -- in many businesses all over the world -- remote users are actually engaging in more insecure behavior than they did the previous year.

In a survey of more than 2,000 people -- half of them IT people and half of them remote workers who use corporate computers -- the study found that there is a growing belief that the Internet is "safer" than it used to be, and this perception may be leading remote users to break policy even more often than they did last year.

"There is a false sense of security among remote workers out there, and it's growing," says Patrick Gray, senior security strategist at Cisco and former FBI investigator who headed up the study project. Some 56 percent of those surveyed said that the Internet is "safer" now than it was a year ago, compared with 48 percent last year.

It's not that security education programs have completely failed. In fact, in the survey, most respondents (69 percent) were slightly more cognizant of security issues in 2007 than they were the year before (67 percent). The problem is that, despite this awareness, the incidence of insecure behavior is actually growing anyway.

For example, despite repeated warnings, some 34 percent of respondents said they still click on suspicious and unknown emails "to see who it's from." Another 6 percent say they also click on the attachments.

Similarly, even though more respondents in 2007 (46 percent) recognize that office computers should not be used for personal tasks, the percentage of users who actually do so is growing (33 percent in 2007 vs. 30 percent in 2006). The incidence of Internet shopping at work (43 percent), the sharing of work computers with friends and family members (21 percent), and the hijacking of neighbors' WiFi connections (12 percent) all grew over the last year, according to the study.

Some 33 percent of respondents said their "company doesn't mind" their use of work computers for Internet shopping, and another 20 percent said they "would never get personal things done if I didn't do them while at work."

About 32 percent of respondents said they "don't see anything wrong" with sharing their work computers with friends and family, and 32 percent also said their "company doesn't mind" when they do. Twenty-nine percent said they don't think sharing computers with friends or family increases security risks.

Gray said the results of the study suggest that individuals are less frightened of Internet security issues than they were a year or two ago. "When they were getting hit by huge worms that extended across the Web, they were more cautious," he says. "But now, if they are not being affected by it personally, they feel safer. It's a silent problem, because they aren't hearing about it at a personal level."

Despite widespread security awareness campaigns, many users believe that their company's security "messaging is mellowing," Gray says. The growing use of mobile devices and "Web 2.0" technologies such as social networking are driving users toward the Internet at a higher rate, but security policies and enforcement are perceived to be softer than they were a year ago, he suggests.

Perhaps even more importantly, the lines between home computing and work computing are beginning to blur, the study suggests. Nearly half (49 percent) of respondents now say they are using their own personal devices to access their work files, up from 45 percent a year ago. And some 48 percent of users now use their work computers to access personal files, up from 46 percent last year.

"It's not just PCs -- it's smartphones, it's wireless devices, it's PDAs," Gray says. "Do those devices belong to the company? To the individual? It's all over the map."

So what can enterprises do about these growing problems? An update of the corporate security awareness program might be one place to start.

"The messaging [from the corporation] needs to change," Gray said. "A lot of the awareness programs were written when viruses were the big problem, but you have to update your message as users move to things like Web 2.0. People have got to start to understand that the office PC is a business tool. You can't just use it whenever you want to upload the latest MP3 file or whatever."

Companies also will need to do a better job of deploying remote security technology that limits what users can access via their work machines, Gray advises. "Education alone is not going to do it," he says. "There has to be a technology component as well."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Cisco Systems Inc. (Nasdaq: CSCO)

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21354
PUBLISHED: 2021-03-08
Pollbot is open source software which "frees its human masters from the toilsome task of polling for the state of things during the Firefox release process." In Pollbot before version 1.4.4 there is an open redirection vulnerability in the path of "https://pollbot.services.mozilla.com...
CVE-2021-21362
PUBLISHED: 2021-03-08
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses ...
CVE-2020-4695
PUBLISHED: 2021-03-08
IBM API Connect V10 is impacted by insecure communications during database replication. As the data replication happens over insecure communication channels, an attacker can view unencrypted data leading to a loss of confidentiality.
CVE-2020-4903
PUBLISHED: 2021-03-08
IBM API Connect V10 and V2018 could allow an attacker who has intercepted a registration invitation link to impersonate the registered user or obtain sensitive information. IBM X-Force ID: 191105.
CVE-2020-5014
PUBLISHED: 2021-03-08
IBM DataPower Gateway V10 and V2018 could allow a local attacker with administrative privileges to execute arbitrary code on the system using a server-side requesr forgery attack. IBM X-Force ID: 193247.