Posts Tagged ‘survey’

Last month we mentioned that Lanxoma was conducting a survey about insider threats and how companies are tackling that issue. The results of the survey came out, and were quite interesting!

The press release does not indicate how many people took the survey, so the results must be read with that in mind. Nonetheless, like many similar surveys, Lanxoma’s survey revealed that 43% of respondents had experienced fraud, theft or losses that are a direct result of employees with access to sensitive information.

Given the economic situation, many companies involved in the survey have had to make layoffs, cut raises or defer promotions. 72% of the respondents feel this has increased their risk for insider attacks.

The survey also revealed that 28% of respondents believe that employees with a technical background are more likely to commit insider attacks. However, industry experts have shown that it is not technical know-how that increases risk of attack, but rather the dissatisfied employee who simply has access to information. Employees with existing access to sensitive information do not need to know much in order to take it.

Of those surveyed, only 20% of respondents say they have processes and security measures in place to combat insider threats. Most respondents believed they could do more. One area needing improvement would be in user privileges, which determines which type of user has access to what kind of data. This helps restrict sensitive information to only those employees that need it. Most companies interviewed had no such safeguards, nor were they consistently monitoring what data was accessed and by whom.

Cisco recently released a whitepaper about data leakage worldwide and the resulting costs. The global study, polling more than 2000 employees and IT professionals in 10 countries, indicated that insider threats were far more prevalent than previously thought.

Cisco commissioned the security study from InsightExpress in order to understand if social and business cultures had any impact on data leakage. The results indicate that “insider threats”, caused by uninformed, careless or disgruntled employees accidentally or purposefully doing something which breaches data, have the potential for greater financial losses than outside attacks to the company. In the context of this survey, they also considered that every device capable of storing data added to “insider threats”, given that the loss of these devices pose a high risk.

Cisco put together two papers focused on employee behavior that could put corporate data at risk. The papers found that IT professionals are often unaware of the employee behaviors which put data at risk – this obviously makes preventing loss quite the challenge.

The study examined the effectiveness of security policies – how they are created, communicated and how compliance is enforced. The lack of a policy and compliance with existing policies were large factors in data loss. Unfortunately, the survey showed that IT professionals lack an awareness of how many employees understand and comply with security policies.

Highlights from the study:

• 39% were more concerned about the threat from their own employees than the threat from outside hackers
• 33% were most concerned about data being lost or stolen through USB devices
• 27% admitted that they did not know the trends of data loss incidents over the past few years
• 43% said they are not educating employees well enough
• 19% said they have not communicated their security policy to employees well enough
• 9% reported that they have lost or had their corporate device stolen (26% of those experienced more than one incident in the past year)
• IT professionals believe that employee behaviors slipping, in terms of safeguardint intellectual property, stem from too much information being dealt with (48%) and a growing apathy towards security stemming from faster-paced jobs (43%)
• 11% reported that they or fellow employees accessed unauthorized information and sold it for profit, or stole computers

The study concludes that a lack of awareness and of diligence, as well as purposeful defiance, place a significant risk to data loss. The report lumps the loss of laptops and other portable devices in with the “diligence” section, for the most part. Sadly, most lost laptop reports back up the findings: that employee behaviors are to blame for a lack of data safeguards in laptops. Leaving laptops logged on, leaving passwords in sight, leaving laptops in cars, etc.

“Preventing data leakage is a business-wide challenge. IT professionals, executives, and employees at every level of responsibility must work together to protect critical data assets…

Like outsider threats, addressing the insider threat demands a comprehensive approach that includes education, policy, and technology.”

The recommended approach focuses on education and accountability. Technologies can help, such as Absolute’s Computrace solutions, which solves some compliance issues by tracking assets and even monitoring software.

Download link: Data Leakage Worldwide White Paper: The High Cost of Insider Threats [PDF]

Employees continue to ignore security policies, notes another survey from RSA. Over 50% of employees work around existing IT security policies in order to get their work done.

The insider threat survey, conducted among 417 industry event attendees by RSA, polled workers across a range of industries, heavier in financial and technology sectors. Nearly half of respondents worked in IT. The survey indicates that, despite awareness of IT policies, convenience trumps security.

Highlights from the survey:

• 94% are familiar with their organizations’ IT security policies
• 53% have felt the need to work around IT security policies in order to get their work done
• 64% frequently or sometimes send work documents to their personal email address in order to access and work on them from home.
• 15% have held a door open for someone at work that they did not recognize
• 89% frequently or sometimes conduct business remotely over a virtual private network (VPN) or webmail
• 58% frequently or sometimes access their work email via a public computer / 65% via a public wireless hotspot
• One in 10 has lost a laptop, smartphone and/or USB flash drive with corporate information on it
• 79% frequently or sometimes leave their workplace carrying a data device containing sensitive information related to their jobs
• 43% had switched jobs internally and still had access to accounts/resources which they no longer needed
• 37% have stumbled into an area of their corporate network to which they believe they should not have had access

As you can tell, may of the results mirror the study from Cisco that came out earlier in October. Basically, the lesson to take from this is to rethink the “insider threat” as not just malicious actions taken by employees, but also the “innocent” rule breaking that they do day-to-day in order to get stuff done.

This type of rule breaking is a little complex, as it may be due to a lack of clear instructions. Although employees may be familiar with IT security policies, those policies may be vague in some areas, or employees may receive mixed messages by overlapping policies or a mismatch of policy and procedures. For example, if certain programs and websites are, by policy, not allowed, they should be, by procedure, blocked. That’s not always the case.

As in many cases with security policies, it comes down to training and enforcement. Train all new employees well, but keep on training existing employees on an ongoing basis. Everyone could use the refresher. And enforce the rules – employees should know what the potential outcomes are of crossing the line at the corporate level (risk of data breach) and the personal level (being reprimanded for going against policy, regardless of outcome).

Technology solutions like Absolute’s asset management software can help you identify if users are operating outside corporate policies.

Via CSO Online ; image: mconnors @morguefile

RSA just released the results of their annual wireless security survey. The survey indicates that, with wireless use up dramatically in home, business and public hot-spots, encryption is improving. 97% of corporate access points in New York City were encrypted, up from 76% last year.

The improvements are not universal across major cities, with London having 20% of wireless access points without any form of encryption. In addition, this survey (for the first time) looked at the type of wireless encryption standard used. The WEP standard is no longer adequate, so encryption is not quite as good at this level. Paris has advanced security on 72% of wireless access points, while NY and London had below 50%. The survey also looked, also for the first time, at in-home wireless security. The survey found security on home wireless networks to be superior to corporate networks.

Out of RSA also is a great blog post about the importance of the 5 Ps – Proper Planning Prevents Poor Performance. Worth a read! And to continue your reading, check out our laptop security best practices.

Image: ppdigital @morguefile

CSO Online has released the results of its annual survey with The Global State of Information Security 2008 [PDF]. The survey indicates that security spending is on the rise – a trend is projected to continue, despite current economic uncertainty.

The survey includes answers from more than 7,000 senior executives and shows some surprising results – such as that 14% of security incidents in the past year involved devices. This shows a growing trend in the use of mobile devices, and the lag evident in mobile security planning.

With the IT group still strong as a source for information security funding, the survey found that the “IT Toolbox” is more comprehensive than before. More companies now have malicious-code detection tools, application-level firewalls, intrusion detection & prevention tools, encryption, automated password reset tools and wireless handheld device security.

Despite all those positive increases in the use of IT security tools, some numbers are still quite low. For example, only 50% of companies have laptop encryption tools, with even fewer (42%) having wireless handheld device security. There is no data available on additional laptop security measures such as Absolute’s laptop tracking & recovery solution. Encryption alone is only a base level of laptop security planning.

When it comes to security incidents, there still exists a wide knowledge gap. 45% of security incidents in the last year could not be connected back with known vulnerabilities. Of those that could be identified, the method of exploitation was most often at the network level. Employees and former employees, however, remain the largest threat to security incidents (although less this year than in past years). What this indicates is that technology solutions have been rolled out without being a part of a more comprehensive security policy.

“If the goal is to secure information, to make it truly safe, you’d better develop processes and procedures for putting your nails in the right place before whacking anything with a technology hammer. Technology must be part of a larger plan to secure information”

Interesting findings from the study:

• Business continuity and compliance is the lead reason for investing in security (57%)
• 28% of consumer products and retail executives say security spending is poorly aligned with business objectives
• 45% of respondents can’t identify vulnerabilities that led to security incidents
• 43% of respondents audit or monitor user compliance with security policies
• 22% of respondents keep an inventory of the outside companies that use data

The last result is quite telling – considering the number of data breaches that have been the result of third party mistakes, this is an obvious area of concern in security policies. Additionally, only 37% of survey respondents require third parties to comply with internal privacy policies. There appears to be greater confidence in third parties than reality may warrant – 75% believe their partners’ security is effective, while only 28% perform due diligence to understand their security precautions.

Continue reading the CSO Online analysis of this survey here. You can also check out Absolute Software’s whitepaper on endpoint security.

Cisco announced the findings for a new study about data loss and its sources. The survey, conducted by InsightExpress of more than 2000 employees, outlines 10 common risks and mistakes employees make that put data at risk. The study, which was conducted across 10 countries, also found that behavioral risks of employees can vary by country and culture. 100 employees and 100 IT professionals were surveyed in each country.

The study was commissioned in order to understand the risks of an increasingly distributed and mobile business force. With the lines between work life and personal life blurring on a global scale, there are new risks. The collaborative tools that make this type of workforce possible also pose new challenges. Given that security is not just about technology, but about people and their behavior, this is a very interesting examination of the behavioral side of risks to data loss. The results could help businesses better tailor their security policies.

The 10 most noteworthy risks and mistakes by employees were:

1. Altering security settings on computers – 20% of employees bypass IT policy to access unauthorized websites
2. Use of unauthorized applications – 70% of IT professionals said unauthorized applications and websites resulted in as many as half of the data loss incidents
3. Unauthorized network/facility access - 39% of IT professionals said they have dealt with an employee accessing unauthorized parts of a company’s network or facility
4. Sharing sensitive corporate information – 24% of employees admit to verbally sharing sensitive information
5. Sharing corporate devices – 44% of employees share work devices with non-employees
6. Blurring of work and personal devices, communications – nearly two thirds of employees use work computers daily for personal use – music downloads, banking, blogging, chat rooms, personal email
7. Unprotected devices – at least one in three employees leave computers logged on and unlocked when away from their desk. Laptops often are left on desks without logging off.
8. Storing logins and passwords – one in five employees store login / password information on their computer or write them down near their computer
9. Losing portable storage devices - 22% of employees carry corporate data on portable storage devices
10. Allowing “tailgating” and unsupervised roaming – 13% of employees allow non-employees to roam around their offices unsupervised, 18% have allowed unknown people into corporate facilities

Some of these figures have been broken down by country in a great analysis here.

Check out more here:

• Data Leakage Worldwide: Common Risks and Mistakes Employees Make – Summary

Data Leakage Worldwide: Common Risks and Mistakes Employees Make [pdf]

Via network world

CertifiedMail and Osterman Research have released the findings of a study on encryption adoption.

The Encryption Solution Implementation Landscape report indicates that data is being put at risk mostly by a lack of understanding about encryption technologies. The three main areas that people cite as holding back encryption are: encryption legacy perceptions, a lack of awareness of the availability or ease of use of solutions, and a lack of understanding of the type of data that must be encrypted.

As Kelly Mackin, COO and President of CertifiedMail, notes, businesses no longer question the need for anti-virus or anti-spyware software, but it’s now the time to extend this line of thinking to other ways to protect confidential data. Encryption and laptop security software, among other security tools, should become standard practice.

Here are some of the highlights of the survey, which involved 205 organizations and more than 13,000 respondents:

• 47% of organizations did not have the ability to send encrypted emails from their desktops
• 45% can send encrypted email manually through their email client (22% of them found it difficult)
• 13% can send encrypted emails automatically through some sort of policy-based encryption capability
• 27% of organizations had experienced an accidental or malicious data leak during the previous 12 months

The survey found that users believed that encrypting email was a difficult process, although part of this has been attributed to perception rather than experience. Many users have experiences with legacy systems that have biased them against the easier tools today. The survey found an eagerness among respondents to have “click of a button” encryption available in email clients, with nearly one-half of users wanting automatic encryption capabilities.

Via security watch ; Image: iStockphoto.com