Survey Says Everyday Behavior Puts Sensitive Information At Risk

Dec 11, 2007 3:29 PM

RSA, the security division of EMC, has announced the findings of its recent insider threat survey. Conducted by RSA in early November, the person-on-the-street survey polled government and corporate office workers in Boston and Washington, D.C. on their work-related security behaviors and attitudes. The results provide a snapshot of the everyday actions of trusted insiders who have access to sensitive data such as customer information, Social Security numbers, credit card data, company financials and intellectual property.

The results of the survey underscore that the risk posed to data by well- meaning insiders - employees, contractors, suppliers, partners, visitors and consultants who have physical and/or logical access to organizational assets - must be as closely managed as that posed by malicious insiders who deliberately leak sensitive data for personal financial gain or other criminal purposes.

These "innocent" insiders can unwittingly create data exposures of extraordinary scope and cost through their ordinary, everyday behavior, whether through carelessness, working around security measures or following inadequate security policies.

The survey results indicate that trusted insiders may work around unmanageable security policies in order to get their work done. For instance, employees who don't have remote access may email a document to their personal email address so they may work on it later from home - an action that violates most organizations' stated security policy. The survey found that:

* 35 percent of respondents have felt the need to work around their organization's established security policies and procedures just to get their job done.
* 63 percent of respondents frequently or sometimes send work documents to their personal email address so that they can access them from home.

When trusted insiders work around security policies, usually no harm is intended. Regardless of intent, sensitive data can be exposed, subjecting the organization - and possibly consumers - to unnecessary risk. Organizations can mitigate this risk by developing information-centric policies that acknowledge and align with the needs and realities of the business.

Once such policies are in place, companies should constantly measure actual user behavior against established policy and use what they learn to inform smart policy changes that minimize risk and maximize business productivity. When security is as convenient as possible for end users, they are less likely to work around security policy.

The survey results also indicate that employees depend on remote access to corporate information while on the road, waiting at airports or working in coffee shops:

* 87 percent of respondents frequently or sometimes conduct business remotely over a virtual private network (VPN) or Web mail.
* 56 percent of respondents frequently or sometimes access their work e-mail via a public wireless hotspot (i.e. a wireless Internet connection at a coffee shop, airport, hotel, etc.).
* 52 percent of respondents frequently or sometimes access their work e-mail via a public computer (i.e. a computer at an Internet cafe, airport kiosk, hotel, etc.).

Remote access to sensitive data calls for stronger authentication than a username and password - which can be easily and quickly defeated. Organizations can maintain the flexibility of remote access while protecting sensitive data by requiring two-factor authentication to VPNs and webmail. Additionally, companies can mitigate the risk of data loss in mobile environments by creating, monitoring, and enforcing information-centric policies.

"Organizations must understand the types of information their employees and other insiders need to access, determine the sensitivity of that information and then protect it with security measures commensurate with the associated risk," says Sam Curry, vice president of product management and product marketing at RSA. "Well-protected information is an asset that gives individual workers and organizations the confidence to achieve more."

For a report of the full survey findings and recommendations, click here.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue