Survey Says Everyday Behavior Puts Sensitive Information At Risk

Dec 11, 2007 3:29 PM

           

RSA, the security division of EMC, has announced the findings of its recent insider threat survey. Conducted by RSA in early November, the person-on-the-street survey polled government and corporate office workers in Boston and Washington, D.C. on their work-related security behaviors and attitudes. The results provide a snapshot of the everyday actions of trusted insiders who have access to sensitive data such as customer information, Social Security numbers, credit card data, company financials and intellectual property.

The results of the survey underscore that the risk posed to data by well- meaning insiders - employees, contractors, suppliers, partners, visitors and consultants who have physical and/or logical access to organizational assets - must be as closely managed as that posed by malicious insiders who deliberately leak sensitive data for personal financial gain or other criminal purposes.

These "innocent" insiders can unwittingly create data exposures of extraordinary scope and cost through their ordinary, everyday behavior, whether through carelessness, working around security measures or following inadequate security policies.

The survey results indicate that trusted insiders may work around unmanageable security policies in order to get their work done. For instance, employees who don't have remote access may email a document to their personal email address so they may work on it later from home - an action that violates most organizations' stated security policy. The survey found that:

* 35 percent of respondents have felt the need to work around their organization's established security policies and procedures just to get their job done.
* 63 percent of respondents frequently or sometimes send work documents to their personal email address so that they can access them from home.

When trusted insiders work around security policies, usually no harm is intended. Regardless of intent, sensitive data can be exposed, subjecting the organization - and possibly consumers - to unnecessary risk. Organizations can mitigate this risk by developing information-centric policies that acknowledge and align with the needs and realities of the business.

Once such policies are in place, companies should constantly measure actual user behavior against established policy and use what they learn to inform smart policy changes that minimize risk and maximize business productivity. When security is as convenient as possible for end users, they are less likely to work around security policy.

The survey results also indicate that employees depend on remote access to corporate information while on the road, waiting at airports or working in coffee shops:

* 87 percent of respondents frequently or sometimes conduct business remotely over a virtual private network (VPN) or Web mail.
* 56 percent of respondents frequently or sometimes access their work e-mail via a public wireless hotspot (i.e. a wireless Internet connection at a coffee shop, airport, hotel, etc.).
* 52 percent of respondents frequently or sometimes access their work e-mail via a public computer (i.e. a computer at an Internet cafe, airport kiosk, hotel, etc.).

Remote access to sensitive data calls for stronger authentication than a username and password - which can be easily and quickly defeated. Organizations can maintain the flexibility of remote access while protecting sensitive data by requiring two-factor authentication to VPNs and webmail. Additionally, companies can mitigate the risk of data loss in mobile environments by creating, monitoring, and enforcing information-centric policies.

"Organizations must understand the types of information their employees and other insiders need to access, determine the sensitivity of that information and then protect it with security measures commensurate with the associated risk," says Sam Curry, vice president of product management and product marketing at RSA. "Well-protected information is an asset that gives individual workers and organizations the confidence to achieve more."

For a report of the full survey findings and recommendations, click here.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

SUBSCRIBE

Select an Issue April 1, 2008 March 1, 2008 February 1, 2008 January 1, 2008 December 1, 2007 November 1, 2007 October 1, 2007 September 1, 2007 August 1, 2007 July 1, 2007 June 1, 2007 IP Security Supplement May 1, 2007 April 1, 2007 March 1, 2007 February 1, 2007 January 1, 2007 School Security December 1, 2006 November 1, 2006 October 1, 2006 September 1, 2006 August 1, 2006 July 1, 2006 June 1, 2006 May 1, 2006 April 1, 2006 March 1, 2006 February 1, 2006 January 1, 2006 December 1, 2005 November 1, 2005 October 1, 2005 September 1, 2005 August 1, 2005 July 1, 2005 June 1, 2005 May 1, 2005 April 1, 2005 March 1, 2005 February 1, 2005 January 1, 2005 December 1, 2004 November 1, 2004 October 1, 2004 September 1, 2004 August 1, 2004 July 1, 2004 July 1, 2004 June 1, 2004 May 1, 2004 April 1, 2004 March 1, 2004 February 1, 2004 January 1, 2004 December 1, 2003 November 1, 2003 October 1, 2003 September 1, 2003 August 1, 2003 July 1, 2003 June 1, 2003 May 1, 2003 April 1, 2003 March 1, 2003 February 1, 2003 January 1, 2003 December 1, 2002 November 1, 2002 October 1, 2002 September 1, 2002 August 1, 2002 July 1, 2002 June 1, 2002 May 1, 2002 April 1, 2002 March 1, 2002 February 1, 2002 January 1, 2002 December 1, 2001 November 1, 2001 October 1, 2001 September 1, 2001 August 1, 2001 July 1, 2001 June 1, 2001 May 1, 2001 April 1, 2001 March 1, 2001 February 1, 2001 January 1, 2001 December 1, 2000 November 1, 2000 October 1, 2000 September 1, 2000 August 1, 2000 July 1, 2000 June 1, 2000 May 1, 2000 April 1, 2000 March 1, 2000 February 1, 2000 January 1, 2000 December 1, 1999 November 1, 1999 October 1, 1999 September 1, 1999 August 1, 1999 July 1, 1999 June 1, 1999 May 1, 1999 April 1, 1999 March 1, 1999 February 1, 1999 January 1, 1999 December 1, 1998 November 1, 1998 October 1, 1998 September 1, 1998 August 1, 1998 July 1, 1998 June 1, 1998 May 1, 1998 April 1, 1998 March 1, 1998 February 1, 1998 January 1, 1998 December 1, 1997 November 1, 1997 October 1, 1997 September 1, 1997 August 1, 1997 July 1, 1997 June 1, 1997 May 1, 1997 April 1, 1997 March 1, 1997 February 1, 1997 January 1, 1997

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue