By Matt Hines
February 05, 2008
Despite having a greater awareness of the security risks posed by
careless computing habits and personal Internet activity carried out on
corporate laptops, many remote workers continue to do things that
imperil the safety of themselves and their employers, according to a new
report from Cisco.
As part of its annual study on the security awareness and online
behavior of remote workers -- based on interviews with 2,000
telecommuters carried out by researchers from InsightExpress -- Cisco
experts said that people appear to have acquired a false sense of
security when it comes to the use of their company-issued computers and
other corporate IT assets.
Despite the fact that the IT security community has done a much better
job in recent years of keeping people informed of the latest and
greatest malware attacks and social engineering schemes, remote workers
keep falling for the same types of tricks as they always have -- in part
because they believe that they are now protected by more advanced
security technologies, said Patrick Gray, special assistant to the CTO
In fact, in just one year's time, the number of respondents to the
survey who expressed a belief that the Internet is "getting safer"
increased from 48 percent 12 months ago to more than 56 percent in 2008.
The trend was particularly evident in some parts of the world where
Internet use is growing the fastest, and where people believe that their
governments are going to greater lengths to protect individual users,
such as Brazil (71 percent), India (68 percent), and China (64 percent).
In Brazil, for instance, where banking-password stealing Trojan virus
attacks have finally been thwarted by stricter legal penalties for those
creating the threats, people may falsely assume that it is now safe to
let down their guard, according to Gray.
"The awareness of security threats has grown across the board, but
somehow, because of that, we do see the emergence of this false sense of
security," said Gray. "Companies have done a great job of securing
themselves at the perimeter, but where they're really falling down is
with what is going on within their own networks and what is going
outbound. They are blocking a lot more potential threats, but there's a
lot of risky behavior on their networks as well."
One of the biggest problems contributing to the situation is the fact
that many workers feel it is acceptable for them to use their work
computers for their personal activities, such as shopping, interacting
with friends, and searching the Web for popular information, the expert
By using their company-issued devices to head to corners of the Internet
where attacks are more prevalent -- such as on e-commerce sites,
social-networking portals, and independent Web properties, workers are
putting their employers at risk of exploit by malware and other threats,
The report found a 3 percent year-over-year increase in terms of the
number of remote workers who felt that it was acceptable to use their
corporate devices for personal use, such as Internet shopping,
downloading music, and social collaboration.
Business versus personal use
With the rise in attacks being delivered via hacked Web sites and
popular destinations including social-networking sites, people need to
begin shifting their behavior and keeping their work machines separate
from their personal lives, Gray contends.
"At end of day it's not their computer, it's a business tool, and people
need to understand how much risk their activity poses for their
employers, and that they need some level of separation in terms of their
personal use," he said. "Companies may not want people going to the mall
in the middle of the day when they could be doing work, but they might
not want to allow them to use business tools to do things like
IT workers participating in the study also highlighted the issue with 55
percent indicating their belief that their companies' remote workers are
becoming less diligent toward security awareness, an 11 percent increase
from the year before.
In addition to the growing number of threats being hosted on
social-networking sites such as MySpace, Gray said that the personal
data that people share about themselves and their employers on the sites
poses a significant risk for the creation of targeted attacks.
If an attacker can go to a site like LinkedIn and get a firm grasp on
someone's role in an organization and figure out who they might
communicate with in the firm, it could be fairly easy for them to create
an attack that easily tricks the individual into opening an infected
e-mail, according to the expert.
However, it would appear that even suspicious e-mail arriving from
unknown senders, long the favorite delivery channel for malware and
links to phishing sites, continues to stand as a problem.
While the numbers of workers in the United States who are willing to
open strange e-mails and attachments is far lower at 27 percent than in
places like China (62 percent) and even the United Kingdom (48 percent),
many people are still capable of falling for the time-honored ruse.
In one interesting twist on the issue of corporate device use, Cisco's
report found that more people than ever are also using personal devices
that are not under the control or management of their IT departments to
access their companies' networks and electronic files. Some 49 percent
of those people responding to the survey admitted using their own
machines to do so, an increase from 46 percent one year ago.
Perhaps the only way to improve the situation will be for companies to
enact stricter usage policies for their remote works regarding
corporate-owned devices and embracing continued education for end-users
about the nature and prevalence of threats, Cisco officials maintain.
"We need to continue to highlight the problems; companies are doing a
much better job than they used to, but with all the blended threats,
they need to reload and strengthen the human firewall, which is really
the last line of defense," Gray said. "The companies that do the best
job have ongoing continuing education for users that tells them that
their computer is a business tool and who use monitoring tools to ensure
that their security policies are being followed."
Subscribe to InfoSec News