Careless Employees a Significant Security Risk

By Greg McNevin

December 12, 2007: A new survey from EMC’s RSA security has found that employee carelessness is one of the most significant threats to network security.

According to the security firm latest “person-on-the-street” survey, well-meaning corporate and government employees who handle sensitive data such as customer information, Social Security numbers, credit card data, company financials and intellectual property, can unwittingly create damage data exposures of extraordinary scope and cost through simple carelessness, working around security measures or following inadequate security policies.

Conducted in the US in early November, the firm questioned 126 people on their work-related security behaviours and attitudes, and found that 35 percent have felt the need to work around their organisation's established security policies and procedures just to get their job done, while 63 percent frequently or sometimes send work documents to their personal email address so that they can access them from home.

While no harm is intended in both of these circumstances, these actions can create unnecessarily risky serious breaches of security. Particularly considering remote access is becoming more ubiquitous, with 87 percent of those questioned also noting that they frequently or sometimes conduct business remotely over a virtual private network or web mail.

A further 56 percent admitted to using public wireless hotspots to access their work email, while 52 percent said they had used a public computer to do it.

Next to remote access, 65 percent of those surveyed claimed to have frequently or sometimes left the workplace carrying a mobile device such as a laptop, smartphone or USB flash drive containing sensitive information related to their jobs such as customer data, personally identifiable information, company financials, credit card data, and competitively sensitive information such as product plans. A further eight percent admitted to having lost one of these devices with sensitive information on it.

Beyond data security, RSA also found that 34 percent of those canvassed had held a secured door open for someone they didn't recognize, while 40 percent have been let into the building by someone that didn't know after forgetting their access card/key.

To curtail some of these risks, RSA recommends that organisations reduce the use of sensitive and personally identifiable information wherever possible, and only grant access to this information on a need-to-know basis. The firm also says that companies should consider establishing automatic control and enforcement actions to allow, audit, discard, quarantine or encrypt transmissions based on the sensitivity of the data.

“A holistic, information-centric security strategy takes people, process and technology into account and has a feedback mechanism,” said Christopher Young, Vice President and General Manager of the Identity and Access Assurance Group at RSA. “It is not enough to establish policy; actual insider behaviour must be measured and tracked against established policy in order to keep security aligned with the business.”

Comment on this story