In 2008, Cisco released an extensive research study on data leakage conducted by Insight Express using 2,000 respondents in 10 countries. The objectives are summarized in the following tasks:
- To Explore how the employees use the company devices including communication services and devices used, personal activities conducted and the extent to which technology and information is shared.
- To know to which extent employees use non-IT approved programs and applications, concern for security issues and actions taken to prevent or uncover potential security breaches.
- To know if the employees are aware of the security procedures as well as how much they know that they are exposing their company to risk.
In the report on the study entitled, "Data Leakage Worldwide: Common Risks and Mistakes Employees Make", the authors concluded that employee mistakes contributing to data leakage included generally the following:
- Unauthorized application use: where it showed that 70% of IT professionals believe the use of unauthorized programs resulted approximatly in around half of their companies' data loss incidents.
- Misuse of corporate computers: where it showed that 44% of employees share work devices with others without supervision and permission to do that.
- Unauthorized physical and network access: where 39% of IT professionals said they have dealt with an employee accessing unauthorized parts of a company's network or facility without permission.
- Remote worker security: where 46% of employees admitted to transferring files between work and personal computers when working from home endangering the company resources & data by doing this.
- Misuse of passwords: Around 18% of employees share passwords with co-workers and even family memebers. That rate jumps to 25% in China, India, and Italy.
Stefanie Hoffman, who is writing for ChannelWeb magazine, analyzed the results in a conventional way, concluding that the key issue is a lack of understanding:
"Overwhelmingly, failure to comply with company regulation resulted from lack of communication. The study found that when IT communicates policies to employees, they often use non-verbal - and subsequently unmemorable - means, such as e-mail, IM and voicemail. As a result, 11 percent of employees said that IT never communicates or rarely educates them on security policies."
There's lots more discouraging information in the report, but it all confirms that users simply are not getting it when we yammer at them about security. So what's a security officer to do?
http://find.galegroup.com.ezproxy.uow.edu.au/gtx/infomark.do?&contentSet=IAC-Documents&type=retrieve&tabID=T001&prodId=AONE&docId=A214585244&source=gale&srcprod=AONE&userGroupName=uow&version=1.0
No comments:
Post a Comment