By Andy Greenberg
When the Anna Kournikova virus was spreading wildly in 2001, it infected
millions of computers and clogged e-mail servers by offering a racy
picture of the teen tennis star to unsuspecting e-mailers. Or, in some
cases, not so unsuspecting.
"A big proportion of the infections we saw were coming from people who
had actually gone out searching for the virus because they wanted to see
Anna Kournikova," says David Perry, global director of education for
Trend Micro. "We didn't see this happening two times. We saw it
thousands of times."
Today, some security professionals say, enterprise computer users
haven't gotten much savvier. Perry says he still sees as many as one in
five virus infections coming from users who purposefully infect
themselves out of curiosity, just one of the many practices that
undermine information technology security with varying combinations of
naivet and carelessness. And as cyber-criminals become more
sophisticated and networks more intricately connected, that human
element leaves companies vulnerable to data leaks and intrusion in spite
of billions spent on electronic protections.
IT managers, for their part, are wising up to the importance of
security. In fact, they plan to spend 20% more on preventing data theft
and intrusion in the next year, according to research by the market
analysis firm InsightExpress. At the same time, about 30% of non-IT
corporate employees violate the terms of security agreements they sign,
according to another study performed by the firm, which surveyed
hundreds of professionals in seven countries around the world.
The second study, commissioned by Cisco Systems (nasdaq: CSCO - news -
people ) and the National Cyber Security Alliance, also shows that more
than 60% of employees sometimes use mobile devices without encrypted or
password-protected data to connect to their work's network, and more
than a third sometimes work by piggybacking on strangers' wireless
"The human element is always the most insecure," says Jennifer Granick,
executive director of Stanford's Center for Internet and Society. But
she argues that the problem isn't employees who are stupid or even
apathetic. She blames companies that make unrealistic demands without
providing secure ways to meet those expectations. "There's this pressure
to be on call outside of the office, either at your house or while
you're on vacation," she says. "That creates an incentive to skimp on
When employees connect to an unsecured wireless network in a coffee shop
or in their home, they expose all the data they're working on to the
whims of whoever else controls the router. Since 2005, security
researchers have warned of the threat of "evil twins," computers set up
to appear as routers and intercept sensitive data.
A more common problem is workers who transfer corporate e-mail to
third-party Webmail services like Gmail. Workers often prefer a Gmail or
Yahoo! Mail account because of its universal accessibility and
convenient interface. But using those services means confidential data
is stored on someone else's servers, where it can be exposed to anyone
who subpoenas it from Google (nasdaq: GOOG - news - people ) or Yahoo!.
"If you're forwarding corporate secrets with Gmail, you should be aware
you're sending them to Google," Granick says. "And when you put your
data in someone else's hands, you can't be sure how they're going to
As mobile technology unties workers from their offices, they engage in
significantly more risky behavior, according to a study released Tuesday
by Trend Micro. By their count, U.S. and U.K. workers on corporate
laptops are more than twice as likely, compared with desktop users, to
send confidential info by instant message, and about a third more likely
to send confidential data across Webmail. American laptop users are also
doubly inclined to download music and movies to corporate machines,
making them more likely to unwittingly install hidden malicious
But the real problem behind employees' insecure practices, says Trend
Micro's Perry, doesn't stem from any single trend. He cites Future
Shock, Alvin Toffler's 1970 book, which introduced the idea that humans
simply aren't emotionally prepared for the pace of technological change.
"Computer users aren't stupid," he says. "But there's a kind of
cognitive dissonance. We have a hard time understanding that all our
most sensitive materials are now ones and zeros."
In Pictures: Seven Habits Of Highly Insecure People
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!