Cisco Security Study Points Finger at Employees
Steven Alexander October 8 2008 09:44:36 AM
A very interesting article I came across on newsfactor.comCisco has released the results of a global security study. The results, Cisco says, indicate that data loss can result from risky employee behavior. Cisco says that helping workers understand how their behavior affects the risk of data leakage will strengthen security practices. Cisco recommends employee-education programs on preventing data loss.
Employees could be to blame for one of the most prominent security concerns facing businesses today: Loss of corporate information.
So say findings from a new Cisco global security study. The report offers insight into the risks employees take that could cause data leakage. The reason is clear: With the move toward distributed business models and remote workforces, lines are blurring between work and home lives. That's leading to more collaborative devices and applications, including mobile phones, laptops, Web 2.0 applications, video and other social media.
The takeaway: There are opportunities for businesses to tailor risk-management plans that prevent data-loss incidents locally while remaining global in scope. Cisco surveyed 1,000 employees and 1,000 IT professionals from various industries and company sizes in 10 countries, including the United States, United Kingdom, France, Germany, Italy, Japan, China, India, Australia and Brazil.
Security's Roots: User Behavior
"Security is ultimately rooted in users' behavior, so businesses of all sizes and employees in all professions need to understand how behavior affects the risk and reality of data loss -- and what that ultimately means for both the individual and enterprise," said John N. Stewart, chief security officer at Cisco.
"Understanding this can help strengthen relationships between IT and employees, tailor localized awareness and education programs, and better manage risk," Stewart said. "Simply put, security practices can be more effective when all users realize what their actions result in."
The 10 most noteworthy behaviors that lead to data leakage are:
1. Altering security settings on computers.
2. Use of unauthorized applications.
3. Unauthorized network/facility access.
4. Sharing sensitive corporate information.
5. Sharing corporate devices.
6. Blurring of work and personal devices, communications .
7. Unprotected devices.
8. Storing logins and passwords.
9. Losing portable storage devices.
10. Allowing "tailgating" and unsupervised roaming.
According to Stewart, without modern-day security technologies, policies, awareness and education, information is more vulnerable. Today, data is in transit, in use within programs, stored on devices, and in places beyond the traditional business environment, such as at home, on the road, in cafés, and on airplanes and trains.
"This trend is here to stay," Stewart said. "To protect your data effectively, we need to start understanding the risk characteristics of business and then base technology, policy and awareness and education plans on those factors. Data protection requires teamwork across the company. It's not just an IT job anymore." (continued...)
A Move To Thin-Client Computing?
Stewart said these behavioral findings can help companies structure employee-education programs at a regional level and sculpt global risk-management plans. He lists recommended practices for preventing data loss, including knowing your data and managing it well; treating data as if it's your own; educating employees on how data protection equates to money earned; institutionalizing standards for safe conduct; fostering a culture of trust; and establishing security awareness, education and training.
Zeus Kerravala, an analyst at the Yankee Group, agrees that education is a vital element of the solution. However, he's also somewhat disappointed in the industry for not focusing more on laptop security, although there has been a strong focus on mobile handsets. A move toward thin-client architecture, Kerravala added, could also be part of the answer.
"It will be interesting to see if companies use thin-client architecture more. It's changed a lot," Kerravala said. "When you look at what Citrix does with streaming desktops, it's much more secure than the personal desktop. There's a certain stigma associated with thin-client computing, but maybe it's time to put away our biases and actually do what's best for the company."
Article from: http://www.newsfactor.com/story.xhtml?story_id=62187&page=1
- Comments [0]