Security Watch | Matt Hines » Naive workers feed data risks

December 11, 2007 | Comments: (0)

Naive workers feed data risks

TAGS: Security

IT security studies keep arriving that point out the fact that careless actions of everyday employees remain one of the greatest areas of overall risk to data security.

Last week, Ponemon released a report that showed how few people really understand or respect their employers' security policies.

This week, EMC division RSA announced the results of its own research into workplace habits and issues of data security, and the conclusions are eerily similar to the Ponemon survey.

The 10,000 foot view of both reports tells us this -- it is the human element of the data protection problem that companies may need to address most aggressively if they truly want to bolster their overall security standing.

Because, it would seem that people are going to continue to look for ways to circumvent security policies if it makes their jobs easier as long as they are allowed to get away with it.

According to the RSA study -- based on an unreported number of interviews held with corporate and government employees in Boston and DC during November:

-Some 35 percent of respondents said that they have knowingly ignored their organizations' established security policies and procedures just to get their jobs done.

-Roughly 63 percent of respondents admitted that they frequently or sometimes send work documents to their personal e-mail accounts to get work done at home.

-Another 56 percent of respondents said that they frequently or sometimes access their work e-mail via public wireless hotspots.

-A majority 52 percent of respondents said that they frequently or sometimes access their work e-mail via public computers.

At the same time that people are seemingly blowing-off any security best practices their companies may have asked them to follow, the likelihood that they are frequently walking around or working remotely with organizational information also continues to grow.

After all:

-Some 87 percent of respondents to the study said that they frequently or sometimes conduct business remotely over a virtual private network or using Web mail.

-Another 65 percent of respondents admitted that they frequently or sometimes leave their workplace carrying a mobile device such as a laptop, smartphone and/or USB flash drive which holds sensitive information related to their jobs.

-A total of 8 percent of respondents said that they have previously have lost a laptop, smartphone and/or USB flash drive with corporate/organizational information on it.

RSA advises that organizations can mitigate this human risk by developing "information-centric policies that acknowledge and align with the needs and realities of the business."

But will that really work? It would seem that with all the results we're seeing here what is really being made clear is that policies alone do not have the desired impact on employee behavior, and that companies need technologies such as DLP and e-mail encryption that can account for people's mistakes and misdeeds now more than ever before.

At the heart of the issue is the tricky balancing act that companies need to pull off in order to keep their data safe while allowing their workers to do their jobs with as little interruption as possible.

This is an opinion that many IT security leaders have advanced over the last year as the data protection issue has become such a central business problem for so many types of firms, but clearly it is not a problem that has been remedied.

As RSA puts it, simply, "when security is as convenient as possible for end users, they are less likely to work around security policy."

This seems like a no-brainer, but just like creating a foil for every flavor of human innovation being brought to the table by the bad guys these days, it's obviously a concept that is easier said than it is done.

"Organizations must understand the types of information their employees and other insiders need to access, determine the sensitivity of that information and then protect it with security measures commensurate with the associated risk," Sam Curry, vice president of product management at RSA, said in a report summary. "Well-protected information is an asset that gives individual workers and organizations the confidence to achieve more."

Posted by Matt Hines on December 11, 2007 08:52 AM

RATE THIS ARTICLE: