Women are more likely to accidentally download spyware at work, but they're more willing than men to call the help desk. Men are more likely than women to engage in personal Web surfing at work; spending more time on the Web overall and visiting a larger variety of Web sites, including those that are potentially malicious.
That, according to the seventh annual Web@Work survey conducted by San Diego-based security firm Websense Inc. and New York-based research firm Harris Interactive Inc.
Harris Interactive conducted online interviews with 351 U.S. IT decision makers at organizations with at least 100 employees between March 15 and 24; between March 16 and April 4, the firm surveyed 500 U.S. employees aged 18 and older who have Internet access at work and are employed by organizations with at least 100 employees.
Spyware still a major epidemic
In all, 92% of IT managers surveyed estimated that their organization has been infected by spyware at some point in the last 12 months, compared to 93% the year before.
Nearly one out of every five organizations -- 17% -- were infected after employees launched a hacking tool or keylogger within their network in the past year, up from 12% the year before. Keyloggers are considered to be among the more insidious forms of spyware, recording keystrokes and screen shots. Attackers use them to steal passwords and confidential information, among other things.
Of employees that have infected their PCs with spyware, 64% of women have called their IT department for help while only 30% of men have done so. Meanwhile, the survey found that men are 1.15 times more likely than women to visit weather sites; 2.3 times more likely than women to visit sports sites; 1.95 times more likely than women to visit investment/stock purchasing sites; and 2.5 times more likely than women to visit blogs.
"[The survey shows] some of the differences between how men and women use the Internet at work," Michael Newman, Websense vice president and general counsel, said in a statement. "However, one significant similarity shown in the survey is that both genders can easily be lured in by the Internet for its sheer entertainment value or as a resource to complete personal errands."
"It's important that employees follow the rules and not follow suspicious links received in e-mail or manually type in URLs," he said in an e-mail. But it's not all a matter of user ignorance, he added: "We are also seeing a growing sophistication in attacks. There's more drive-by spyware getting installed on end-user machines by simply visiting a Web site."
Adding to employee computing concerns, almost 73% of IT managers said employees use portable hard drives -- USB keys, for example -- to download company information. This is compared to 65% last year.
Bot and phishing remain problems
The survey also showed that IT managers remain preoccupied with phishing attacks and bot infections, especially on machines employees take outside the network.
Only 34% of respondents said they're very or extremely confident they can prevent bots from infecting employees' PCs when not connected to the corporate network. Nineteen percent of IT managers indicated they have had employees' work-owned computers or laptops infected with a bot. Bot-infected machines ultimately become part of a botnet, an army of hijacked computers attackers use to launch a variety of exploits.
The survey found that 62% of enterprise IT shops have bot filters on the network, while 14% don't and 24% of respondents said they're unsure.
More than four in five IT executives -- 81% -- reported that employees have received a phishing attack by e-mail or instant messaging (IM) compared to 82% last year. In nearly half of those cases -- 47% -- employees clicked through the URL, compared to 45% 12 months ago.
The survey showed more employees are aware of phishing, probably because of media coverage of the threat. Forty-nine percent of employees said they've heard of phishing, compared to only 33% last year.
But 44% of IT managers believe employees in their companies can't accurately identify phishing sites. This is a slight improvement over last year, when 50% said their employees couldn't do so.
To mitigate Web-based phishing and spyware attacks, 63% of IT managers said they block attachments transmitted through e-mail, compared to 60% who blocked e-mail-based executables last year.
Only 15% said they block HTML within e-mails, compared to 14% last year. Fifty-two percent of IT managers said they block executables transmitted through IM, compared to 47% last year.