Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/30/2008
10:31 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

End Users Lax With Company Data

A new security study shows end users from around the world treat data and corporate systems with little respect for the potential consequences. When it comes to corporate data, which is actually often customer data, there's little regard for security.

A new security study shows end users from around the world treat data and corporate systems with little respect for the potential consequences. When it comes to corporate data, which is actually often customer data, there's little regard for security.I didn't find much solace in the state of IT security after reading Dark Reading's Tim Wilson's story, "Study: Routine Misbehavior by End Users Can Lead to Major Data Leaks," which underscores the risk associated with the mixing of consumer devices and corporate data. It also reveals the near total disregard of corporate data by many employees:

More than half of end users have changed the security settings on their company-issued laptop to view restricted Web sites, even though they knew it was against company policy. About 35% say it is "none of the company's business" if they have changed the security settings on their computer, the study says.

"There are still a lot of users out there who see their company PC as 'their' machine, and they feel they should be able to do what they want on it," says Cisco security expert Christopher Burke. "There is still a lot of user education that needs to be done."

There's really not much that can be said to this absurdity. Employees with this kind of attitude toward systems they don't own, which hold and provide access to data their company is responsible to protect, deserve to have their systems locked down. By locked down, I mean as in if the application isn't on a strictly-enforced white list, it won't run. Frankly, I'd fire any employee, on the spot, for changing endpoint security settings on systems they don't own.

There's not much I can add to the highlights of this report. Yes, this is a vendor-funded research report, which should always raise skepticism, but if this study reflects reality, it's cause for concern. Each bullet point speaks for itself.


1. Altering security settings on computers: One of five employees altered security settings on work devices to bypass IT policy so they could access unauthorized Web sites. This was most common in emerging economies like China and India. When asked why, more than half (52%) said they simply wanted to access the site; a third said, "it's no one's business" which sites they access.



2. Use of unauthorized applications: Seven of 10 IT professionals said employee access of unauthorized applications and Web sites (e.g., unsanctioned social media, music download software, online shopping venues) ultimately resulted in as many as half of their companies' data loss incidents. This belief was most common in countries like the United States (74%) and India (79%).


3. Unauthorized network/facility access: In the past year, two of five IT pros dealt with employees accessing unauthorized parts of a network or facility. This was most prevalent in China, where almost two of three respondents encountered this issue. Of those who reported this issue globally, two-thirds encountered multiple incidents in the past year, and 14% encountered this issue monthly.


4. Sharing sensitive corporate information: In a sign that corporate trade secrets aren't always secret, one of four employees (24%) admitted verbally sharing sensitive information with nonemployees, such as friends, family, or even strangers. When asked why, some of the most common answers included, "I needed to bounce an idea off someone," "I needed to vent," and "I did not see anything wrong with it."


5. Sharing corporate devices: In a sign that data isn't always in the hands of the right people, almost half of the employees surveyed (44%) share work devices with others, such as non-employees, without supervision.


6. Blurring of work and personal devices, communications: Almost two of three employees admitted using work computers daily for personal use. Activities included music downloads, shopping, banking, blogging, participating in chat groups, and more. Half of the employees use personal e-mail to reach customers and colleagues, but only 40% said this is authorized by IT.


7. Unprotected devices: At least one in three employees leave computers logged on and unlocked when they're away from their desk. These employees also tend to leave laptops on their desks overnight, sometimes without logging off, creating potential theft incidents and access to corporate and personal data.


8. Storing logins and passwords: One in five employees store system logins and passwords on their computer or write them down and leave them on their desk, in unlocked cabinets, or pasted on their computers. In some countries like China (28%), employees reported storing logins and passwords to personal financial accounts on their work devices, leaving their identity and finances at risk. The fact that some employees leave devices unattended magnifies this risk.


9. Losing portable storage devices: Almost one in four (22%) employees carry corporate data on portable storage devices outside of the office. This is most prevalent in China (41%) and presents risks when devices are lost or stolen.


10. Allowing "tailgating" and unsupervised roaming: More than one in five (22%) German employers allow nonemployees to roam around offices unsupervised. The study average was 13%. And 18% have allowed unknown individuals to tailgate behind employees into corporate facilities.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.