A recent study sheds light on employee mistakes that can lead to corporate data loss and also how risky employee behavior varies geographically.
The research, commissioned by networking giant Cisco Systems Inc., surveyed 1,000 employees and 1,000 IT professionals in various industries in 10 countries. Among the findings:
- One in five employees altered security settings on company-owned computers so they could access restricted websites. China led the pack in this tinkering, followed by Brazil and India. Thirty-five percent said it's none of their company's business if they changed the settings.
- A majority of IT professionals said employees accessing unauthorized websites and programs contributed to up to 25% of corporate data leakage. IT pros in the U.S., Brazil and India were the most likely to express this view.
- One in four employees admitted to verbally sharing sensitive business data to family or friends. This type of leakage was most prevalent in Brazil.
- Almost two of three employees use work computers for personal activities such as downloading music and blogging.
More than one in five German workers allows non-employees to roam offices without supervision.
"The landscape is really blurring between personal and work life," said Marie Hattar, vice president of network and security solutions at San Jose-based Cisco. "A lot of people use their work equipment for personal activities and this survey showcases that. We're seeing a slew of new applications and a lot more collaboration with Web 2.0 and mobility introducing new points of entry into the network."
The study shows that combating data loss requires more than IT security, she said.
"If you're looking to protect against data leakage and loss, you need a holistic strategy. You need physical and network security. … The third leg is you really need to educate your employees to make sure they don't expose you to further risk," Hattar said.
At River City Bank, preventing data loss requires policy, technology and most important of all, security awareness training for its 200 employees.
"We have great firewall and network security, and a lot of technological advancements, but the number one thing that has proven to be worth its weight in gold is our security awareness training and education program," said Benjamin Craig, vice president and manager of information systems at the Sacramento, Calif.-based bank.
The security training at River City Bank, which has 18 branches, is conducted in a distributed way with involvement from departmental and business unit representatives. The program garners employee buy-in on security, Craig said.
Internal and external auditors validate the program's effectiveness, as do outside experts hired to test the bank's security via social engineering tests. "Every year for the past six years, the security company has said, 'We can't get through your people'," Craig said.
Nasrin Rezai, senior director of information security at Cisco, said the survey's results showing varying employee behavior based on geographic location is valuable in helping Cisco tailor its awareness programs.
She added that security practitioners need to prepare for the new generation entering the workforce, which grew up with a different mindset around sharing information online. Security pros will need to figure out how to drive security beyond technology by keeping cultural, geographic and generational considerations in mind, Rezai said.
"There are many dimensions we need to think about," she said.