Survey: Women more likely to download spyware

By Bill Brenner, Senior News Writer 16 May 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Spyware is a thorn in the side of many IT professionals, and questionable employee computing habits often don't help matters. Surprisingly though, according to results of a recent survey, there seems to be a difference in how the sexes respond to a security scare.

Women are more likely to accidentally download spyware at work, but they're more willing than men to call the help desk. Men are more likely than women to engage in personal Web surfing at work; spending more time on the Web overall and visiting a larger variety of Web sites, including those that are potentially malicious.

That, according to the seventh annual Web@Work survey conducted by San Diego-based security firm Websense Inc. and New York-based research firm Harris Interactive Inc.

Harris Interactive conducted online interviews with 351 U.S. IT decision makers at organizations with at least 100 employees between March 15 and 24; between March 16 and April 4, the firm surveyed 500 U.S. employees aged 18 and older who have Internet access at work and are employed by organizations with at least 100 employees.

Spyware still a major epidemic
In all, 92% of IT managers surveyed estimated that their organization has been infected by spyware at some point in the last 12 months, compared to 93% the year before.

Nearly one out of every five organizations -- 17% -- were infected after employees launched a hacking tool or keylogger within their network in the past year, up from 12% the year before. Keyloggers are considered to be among the more insidious forms of spyware, recording keystrokes and screen shots. Attackers use them to steal passwords and confidential information, among other things.

Of employees that have infected their PCs with spyware, 64% of women have called their IT department for help while only 30% of men have done so. Meanwhile, the survey found that men are 1.15 times more likely than women to visit weather sites; 2.3 times more likely than women to visit sports sites; 1.95 times more likely than women to visit investment/stock purchasing sites; and 2.5 times more likely than women to visit blogs.

"[The survey shows] some of the differences between how men and women use the Internet at work," Michael Newman, Websense vice president and general counsel, said in a statement. "However, one significant similarity shown in the survey is that both genders can easily be lured in by the Internet for its sheer entertainment value or as a resource to complete personal errands."

For more information Ideal intrusion defense combines processes and people Spyware, application attacks to be biggest 2006 threats Beware the bots

Dan Hubbard, Websense's senior director of security and technology research, said the findings show employees need more security education. While employee are becoming more aware of Web-based threats such as phishing attacks and keyloggers, he said, the vast majority of employees still don't realize how susceptible they are to social engineering schemes.

"It's important that employees follow the rules and not follow suspicious links received in e-mail or manually type in URLs," he said in an e-mail. But it's not all a matter of user ignorance, he added: "We are also seeing a growing sophistication in attacks. There's more drive-by spyware getting installed on end-user machines by simply visiting a Web site."

Adding to employee computing concerns, almost 73% of IT managers said employees use portable hard drives -- USB keys, for example -- to download company information. This is compared to 65% last year.

Bot and phishing remain problems
The survey also showed that IT managers remain preoccupied with phishing attacks and bot infections, especially on machines employees take outside the network.

Only 34% of respondents said they're very or extremely confident they can prevent bots from infecting employees' PCs when not connected to the corporate network. Nineteen percent of IT managers indicated they have had employees' work-owned computers or laptops infected with a bot. Bot-infected machines ultimately become part of a botnet, an army of hijacked computers attackers use to launch a variety of exploits.

The survey found that 62% of enterprise IT shops have bot filters on the network, while 14% don't and 24% of respondents said they're unsure.

More than four in five IT executives -- 81% -- reported that employees have received a phishing attack by e-mail or instant messaging (IM) compared to 82% last year. In nearly half of those cases -- 47% -- employees clicked through the URL, compared to 45% 12 months ago.

The survey showed more employees are aware of phishing, probably because of media coverage of the threat. Forty-nine percent of employees said they've heard of phishing, compared to only 33% last year.

But 44% of IT managers believe employees in their companies can't accurately identify phishing sites. This is a slight improvement over last year, when 50% said their employees couldn't do so.

To mitigate Web-based phishing and spyware attacks, 63% of IT managers said they block attachments transmitted through e-mail, compared to 60% who blocked e-mail-based executables last year.

Only 15% said they block HTML within e-mails, compared to 14% last year. Fifty-two percent of IT managers said they block executables transmitted through IM, compared to 47% last year.

Tags: Vulnerability Risk Assessment,  Web Application Security,  Information Security Policies, Procedures and Guidelines,  Malware, Viruses, Trojans and Spyware,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability Risk Assessment Are Web application penetration tests still important? McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs Vulnerability test methods for application security assessments Free HP SWFScan tool detects Adobe Flash flaws PCI QSA assurance program penalizes assessors Information security book excerpts and reviews New York drafts language demanding secure code Security experts identify 25 dangerous coding errors Microsoft Windows XML flaw exploits test desktop antimalware Vulnerability Risk Assessment Research Web Application Security nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks Information Security Policies, Procedures and Guidelines Twitter risks, Facebook threats trouble security pros Cybersecurity czar candidate questions clout of new position Incident response planning The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence DHS fills National Cybersecurity Center post New partnerships, creative thinking help security bust recession Experts optimistic of Obama cybersecurity plan

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary