If it seems that -- despite your company's best efforts to educate users about security -- users are actually behaving less responsibly, don't panic. Your organization isn't the only one.
In fact, Cisco Systems Inc. today is releasing the results of a disturbing third-party study it commissioned over the summer which proves conclusively that -- in many businesses all over the world -- remote users are actually engaging in more insecure behavior than they did the previous year.
In a survey of more than 2,000 people -- half of them IT people and half of them remote workers who use corporate computers -- the study found that there is a growing belief that the Internet is "safer" than it used to be, and this perception may be leading remote users to break policy even more often than they did last year.
"There is a false sense of security among remote workers out there, and it's growing," says Patrick Gray, senior security strategist at Cisco and former FBI investigator who headed up the study project. Some 56 percent of those surveyed said that the Internet is "safer" now than it was a year ago, compared with 48 percent last year.
It's not that security education programs have completely failed. In fact, in the survey, most respondents (69 percent) were slightly more cognizant of security issues in 2007 than they were the year before (67 percent). The problem is that, despite this awareness, the incidence of insecure behavior is actually growing anyway.For example, despite repeated warnings, some 34 percent of respondents said they still click on suspicious and unknown emails "to see who it's from." Another 6 percent say they also click on the attachments.
Similarly, even though more respondents in 2007 (46 percent) recognize that office computers should not be used for personal tasks, the percentage of users who actually do so is growing (33 percent in 2007 vs. 30 percent in 2006). The incidence of Internet shopping at work (43 percent), the sharing of work computers with friends and family members (21 percent), and the hijacking of neighbors' WiFi connections (12 percent) all grew over the last year, according to the study.
Some 33 percent of respondents said their "company doesn't mind" their use of work computers for Internet shopping, and another 20 percent said they "would never get personal things done if I didn't do them while at work."
About 32 percent of respondents said they "don't see anything wrong" with sharing their work computers with friends and family, and 32 percent also said their "company doesn't mind" when they do. Twenty-nine percent said they don't think sharing computers with friends or family increases security risks.
Gray said the results of the study suggest that individuals are less frightened of Internet security issues than they were a year or two ago. "When they were getting hit by huge worms that extended across the Web, they were more cautious," he says. "But now, if they are not being affected by it personally, they feel safer. It's a silent problem, because they aren't hearing about it at a personal level."
Despite widespread security awareness campaigns, many users believe that their company's security "messaging is mellowing," Gray says. The growing use of mobile devices and "Web 2.0" technologies such as social networking are driving users toward the Internet at a higher rate, but security policies and enforcement are perceived to be softer than they were a year ago, he suggests.
Perhaps even more importantly, the lines between home computing and work computing are beginning to blur, the study suggests. Nearly half (49 percent) of respondents now say they are using their own personal devices to access their work files, up from 45 percent a year ago. And some 48 percent of users now use their work computers to access personal files, up from 46 percent last year.
"It's not just PCs -- it's smartphones, it's wireless devices, it's PDAs," Gray says. "Do those devices belong to the company? To the individual? It's all over the map."
So what can enterprises do about these growing problems? An update of the corporate security awareness program might be one place to start.
"The messaging [from the corporation] needs to change," Gray said. "A lot of the awareness programs were written when viruses were the big problem, but you have to update your message as users move to things like Web 2.0. People have got to start to understand that the office PC is a business tool. You can't just use it whenever you want to upload the latest MP3 file or whatever."
Companies also will need to do a better job of deploying remote security technology that limits what users can access via their work machines, Gray advises. "Education alone is not going to do it," he says. "There has to be a technology component as well."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Cisco Systems Inc. (Nasdaq: CSCO)Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio