Sunday, October 19, 2008

Security mistakes

Cisco Research Reveals Common Data Loss Mistakes

Global study explores behavioral risks based on country, culture - from accessing unauthorized facilities and networks to intentionally leaking corporate information

Cisco today announced findings from a new global security study that spotlights numerous risks taken by employees that can lead to one of the most prominent security concerns for businesses: the loss of corporate information. The study identifies common data leakage mistakes among workforces around the world and is based on surveys of more than 2,000 employees and information technology professionals in 10 countries. The findings show that behavioral risks of employees can vary by country and culture, creating opportunities for businesses to tailor risk management plans that prevent incidents locally while remaining global in scope.

Conducted by InsightExpress, a U.S.-based market research firm, the study was commissioned by Cisco to examine security and data leakage (www.cisco.com/go/dlp) implications for businesses at a time when employee lifestyles and work environments are changing dramatically. As the reliance on centralized offices shifts to distributed business models and remote workforces, lines are blurring between work life and personal life. This operational shift for businesses and the lifestyle overlap for employees are driven in large part by the proliferation of collaborative devices and applications that are used for both purposes, including mobile phones, laptops, Web 2.0 applications, video and other social media.

This evolving business environment serves as a backdrop for the study, which surveyed 1,000 employees and 1,000 IT professionals from various industries and company sizes in 10 countries: the United States, United Kingdom, France, Germany, Italy, Japan, China, India, Australia, and Brazil. The countries were chosen because they represent a diverse set of social and business cultures, established and emerging network-dependent economies and varied levels of Internet adoption.

"We conducted this research in order to understand behavior, not technology per se," said John N. Stewart, chief security officer of Cisco. "Security is ultimately rooted in users behavior, so businesses of all sizes and employees in all professions need to understand how behavior affects the risk and reality of data loss - and what that ultimately means for both the individual and enterprise. Understanding this can help strengthen relationships between IT and employees, tailor localized awareness and education programs, and better manage risk. Simply put, security practices can be more effective when all users realize what their actions result in."

Of the many behavioral findings, the 10 most noteworthy were:

1. Altering security settings on computers:
2. Use of unauthorized applications:
3. Unauthorized network/facility access:
4. Sharing sensitive corporate information:
5. Sharing corporate devices:
6. Blurring of work and personal devices, communications:
7. Unprotected devices:
8. Storing logins and passwords:
9. Losing portable storage devices:
10. Allowing "tailgating" and unsupervised roaming:

"Businesses are enabling employees to become increasingly collaborative and mobile," Stewart said. "Without modern-day security technologies, policies, awareness and education, information is more vulnerable. Today, data is in transit, in use, within programs, stored on devices, and in places beyond the traditional business environment, such as at home, on the road, in cafes, on airplanes and trains. This trend is here to stay. To protect your data effectively, we need to start understanding the risk characteristics of business and then base technology, policy, and awareness and education plans on those factors."

No comments: