Survey: Women more likely to download spyware

By Bill Brenner, Senior News Writer 16 May 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Spyware is a thorn in the side of many IT professionals, and questionable employee computing habits often don't help matters. Surprisingly though, according to results of a recent survey, there seems to be a difference in how the sexes respond to a security scare.

Women are more likely to accidentally download spyware at work, but they're more willing than men to call the help desk. Men are more likely than women to engage in personal Web surfing at work; spending more time on the Web overall and visiting a larger variety of Web sites, including those that are potentially malicious.

That, according to the seventh annual Web@Work survey conducted by San Diego-based security firm Websense Inc. and New York-based research firm Harris Interactive Inc.

Harris Interactive conducted online interviews with 351 U.S. IT decision makers at organizations with at least 100 employees between March 15 and 24; between March 16 and April 4, the firm surveyed 500 U.S. employees aged 18 and older who have Internet access at work and are employed by organizations with at least 100 employees.

Spyware still a major epidemic
In all, 92% of IT managers surveyed estimated that their organization has been infected by spyware at some point in the last 12 months, compared to 93% the year before.

Nearly one out of every five organizations -- 17% -- were infected after employees launched a hacking tool or keylogger within their network in the past year, up from 12% the year before. Keyloggers are considered to be among the more insidious forms of spyware, recording keystrokes and screen shots. Attackers use them to steal passwords and confidential information, among other things.

Of employees that have infected their PCs with spyware, 64% of women have called their IT department for help while only 30% of men have done so. Meanwhile, the survey found that men are 1.15 times more likely than women to visit weather sites; 2.3 times more likely than women to visit sports sites; 1.95 times more likely than women to visit investment/stock purchasing sites; and 2.5 times more likely than women to visit blogs.

"[The survey shows] some of the differences between how men and women use the Internet at work," Michael Newman, Websense vice president and general counsel, said in a statement. "However, one significant similarity shown in the survey is that both genders can easily be lured in by the Internet for its sheer entertainment value or as a resource to complete personal errands."

For more information Ideal intrusion defense combines processes and people Spyware, application attacks to be biggest 2006 threats Beware the bots

Dan Hubbard, Websense's senior director of security and technology research, said the findings show employees need more security education. While employee are becoming more aware of Web-based threats such as phishing attacks and keyloggers, he said, the vast majority of employees still don't realize how susceptible they are to social engineering schemes.

"It's important that employees follow the rules and not follow suspicious links received in e-mail or manually type in URLs," he said in an e-mail. But it's not all a matter of user ignorance, he added: "We are also seeing a growing sophistication in attacks. There's more drive-by spyware getting installed on end-user machines by simply visiting a Web site."

Adding to employee computing concerns, almost 73% of IT managers said employees use portable hard drives -- USB keys, for example -- to download company information. This is compared to 65% last year.

Bot and phishing remain problems
The survey also showed that IT managers remain preoccupied with phishing attacks and bot infections, especially on machines employees take outside the network.

Only 34% of respondents said they're very or extremely confident they can prevent bots from infecting employees' PCs when not connected to the corporate network. Nineteen percent of IT managers indicated they have had employees' work-owned computers or laptops infected with a bot. Bot-infected machines ultimately become part of a botnet, an army of hijacked computers attackers use to launch a variety of exploits.

The survey found that 62% of enterprise IT shops have bot filters on the network, while 14% don't and 24% of respondents said they're unsure.

More than four in five IT executives -- 81% -- reported that employees have received a phishing attack by e-mail or instant messaging (IM) compared to 82% last year. In nearly half of those cases -- 47% -- employees clicked through the URL, compared to 45% 12 months ago.

The survey showed more employees are aware of phishing, probably because of media coverage of the threat. Forty-nine percent of employees said they've heard of phishing, compared to only 33% last year.

But 44% of IT managers believe employees in their companies can't accurately identify phishing sites. This is a slight improvement over last year, when 50% said their employees couldn't do so.

To mitigate Web-based phishing and spyware attacks, 63% of IT managers said they block attachments transmitted through e-mail, compared to 60% who blocked e-mail-based executables last year.

Only 15% said they block HTML within e-mails, compared to 14% last year. Fifty-two percent of IT managers said they block executables transmitted through IM, compared to 47% last year.

Tags: Vulnerability Risk Assessment,  Web Application Security,  Information Security Policies, Procedures and Guidelines,  Malware, Viruses, Trojans and Spyware,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability Risk Assessment Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management McAfee to acquire Solidcore Systems for whitelisting Vulnerability Risk Assessment Research Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Information Security Policies, Procedures and Guidelines Health Net breach failure of security policy, technology How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary