While there are some problems with IT security in the U.S., Americans in general have better security behavior to prevent data loss than other parts of the world. That’s a general finding in a new report sponsored by Cisco that asked 2,000 globally dispersed professionals about their views on behaviors that could lead to data leakage.
The study focused on behaviors of users and perceptions of IT owners and comes at a time when Vice Presidential candidate Governor Sarah Palin (R-AK) became the victim of an e-mail hack that could have led to data loss. Palin’s experience, though is not indicative of the behaviors of U.S. IT users on the whole, who are doing better than most of their counterparts around the world when it come to doing the right thing for security.
“Based on study, I agree that in general if you look through the data it appears that U.S.-based IT users have better behaviors that might contribute to less data loss issues,” Fred Kost, director of security solutions at Cisco told InternetNews.com. “And IT clearly perceives that they have better control.”
Kost added that the Cisco sponsored study did not measure whether there was a direct connection between better behaviors and actual data loss events. That said, Kost argued that better behaviors do lessen the risk.
So what are some of the better IT behaviors?
One of them is using corporate-owned assets to communicate with personal e-mail. In the U.S., 39 percent of respondents admitted to using their company owned computer for personal e-mail while in Germany the figure was 47 percent, India 58 percent and in China a whopping 61 percent.
Another bad behavior that Cisco asked about is whether users admitted to changing security settings on a company issued computer. In the U.S., only two percent of respondents admitted to changing security settings. Other countries scored significantly worse with nine percent in the UK, 10 percent in France, 20 percent in India and a staggering 42 percent in China admitting that they changed security settings.
The majority (52 percent) of users globally that changed their security settings did so to visit a Web site that they wanted to view that was not allowed by their company’s policy. At a core level, IT professionals reported that it is the un-authorized use of applications and Web sites that leads to data loss incidents.
“So the very thing that IT is putting in place to protect end users is being disabled,” Kost said. “A lot of this is about users and IT trusting each other to do the right thing.”
In the case of Governor Palin, Kost noted that her case highlights the blurring of the personal and business use of e-mail.
“If I’m using Yahoo to access my personal e-mail on a computer that I also access my corporate e-mail on my behavior on Yahoo could propagate risk to the corporate side of my computer,” Kost said.
Kost added that the social engineering risk is also something to consider as well, since the disclosure of even small bits of personal information could lead to a wider data loss issue.
“The Palin case highlights both the social engineering risk and also the use of work and personal e-mail,” Kost commented. “I can’t say if we’d had an increase in people inquiring about e-mail security directly as a result of Palin, but it defiantly highlights the risk that people may not perceive as risk.”
Overall, Kost noted that the personal use of applications are creating risk though there are some technology things IT administrators can do about to protect users. The key is all about balance.
“If IT locks everything down and doesn’t give users any freedom then users will work harder to break the rules or deviate from policy,” Kost said. “So there is a balance there and keeping users educated and building up the trust is critically important.”