Mobile workers are falling short of their responsibilities
when it comes to security, according to
a recent study by Cisco and the US National Cyber Security Alliance
(NCSA).The study, conducted by independent market research firm
InsightExpress, examined behaviors of mobile wireless workers using
smartphones, PDAs, laptops and other devices and found that as
companies continue to mobilise, the security risks increase as a
result of unsafe and sometimes reckless end-user behavior.
According to IDC, the number of mobile workers in the U.S. is
expected to reach more than 70% of the country's total workforce by
2009. Korn/Ferry International reports that, globally, 81% of
executives are constantly connected via mobile devices.
One of the issues contributing to a lack of security when the
workforce becomes mobile is the end-user perception that corporate
mobile devices are also personal devices and that there is little
risk involved in some practices.
"Mobile devices have real access to real data," said Cisco
security director Fred Kost. "The perception is [that] it's a
personal device -- 'I'm on my device.' "
The study gleaned its results from more than 700 mobile
employees in seven countries that have widely adopted
mobile and wireless technologies -- the U.S., U.K., Germany,
China, India, South Korea and Singapore.
Nearly three out of every four mobile users -- 73% -- queried
said they are not always cognisant of security threats and best
practices when working mobile. Many said they are sometimes aware
of potential security risks, but 28% conceded that they "hardly
ever" consider security risks and proper behavior. Some even went
so far as to admit that they never consider safe best practices and
didn't know they needed to be aware of security risks.
More startling were some of the responses mobile workers gave
when asked why they were lax in their security behavior. Reasons
offered included, "I'm in a hurry," "I'm busy and need to get work
done," "Security just is not top-of-mind for me," and "It's IT's
job, not mine."
Mobile workers polled said they often use unauthorised wireless
connections. Either hijacking a neighbor's wireless network
connection or an unauthorised connection in a public place, one
third of mobile users said they use unauthorised wireless. China
had the most extreme cases, with 54% saying they've used an
unauthorised wireless network. In the U.S., 20% of respondents said
they use unauthorised wireless connections.
Users said they use unauthorised wireless networks because: "I
can't tell whose connection I'm using," "Mine isn't working," "They
don't know, so it's OK" and "I don't want to pay for my own
connection."
The study also found that 44% of all mobile users admitted to
opening e-mails and attachments from unknown or suspicious sources.
A significant number, 76%, said it's more difficult to identify
suspicious e-mails and files on PDAs and smartphones than on
laptops because of smaller screen sizes. In the U.S., 7% said they
open e-mails and attachments; 32% said they open only the e-mail;
57% said they delete the e-mail without opening it; and 4% said
they contact IT for guidance.
When asked about security issues they've encountered within the
past three months, 13% of U.S. mobile workers said they've left a
notebook, smartphone or PDA exposed on a car seat in a parking lot;
3% said they've lost their device outside of work; 2% said they
lost their device at work; 14% said they borrowed someone else's
wireless connection when working from home; 16% said they borrowed
someone else's wireless connection when working remotely, such as
in a partner's or friend's office; and 12% said they allowed a
non-employee to borrow their device to check e-mail, make calls and
perform other tasks.
As for how often they protect their data using encryption,
passwords and other mechanisms, 53% of mobile workers in the U.S.
said "all the time," while 31% said "sometimes" and 16% said
"never." As for why they don't protect that data, 13% of U.S.
mobile workers said they don't know what encryption is; 50% said
they don't know how to enable encryption on mobile devices; and 6%
said they don't know how to set passwords on devices.
Ron Teixeira, executive director of NCSA, an organisation that
educates the public and corporations about online security and
safety, said the study highlights some frightening trends. One of
the most startling, he said, is that companies are falling short on
making mobile workers acknowledge and sign a security agreement,
and if there is an agreement signed, it frequently isn't followed
up.
Internationally, the study found that nearly two-thirds of
mobile users sign security agreements. In the U.S., 41% said they
weren't asked to sign one. In addition, 39% of mobile workers in
the U.S. said they never received security training from IT, while
14% don't remember whether they received training.
Ben Gibson, director of Cisco's wireless and mobility solutions,
said that security training helps create a culture of good security
behavior and that education is key to keeping that culture
strong.
 | | | | | Part of the problem does fall on
the employee, but both the employee and the business are
responsible for creating a culture of security.
Ron Teixeira
Executive DirectorNational Cyber Security
Alliance |
| | | | | |
| |
|
"Businesses are increasingly entrusting more and more employees
with access to corporate information anywhere outside of the
office, and this doesn't need to be a growing concern -- not if the
proper security technology and IT-user engagement model is in
place," Gibson said. "After all, embracing mobility and truly
leveraging the power it gives businesses -- agility, access,
responsiveness, efficiency -- requires protecting and educating
employees to prevent them from undermining this value. This is a
role IT can and should play more proactively than they
traditionally have in the past."
Teixeira said, however, that only part of the responsibility to
ensure that end users use safe practices falls on IT. He said IT
should educate end users, but that end users are also responsible
for ensuring they use appropriate caution.
"Wireless and mobility technologies are here to stay," Teixeira
said. "They're a fact of life. While this study shows mobility
provides businesses with new risks, so do other Internet services
and new technologies. Mobility and the Internet can be used
securely and safely if businesses institute a culture of security
within their workforce by providing their employees with continuous
cyber security awareness and education programs."
NCSA's mission is to educate about cyber security through
training visits and on its website,
www.staysafeonline.org,
but Teixeira said awareness still needs to be made a top
priority.
"Part of the issue is that the end users aren't being educated,
and they aren't aware of the threats that exist," he said. "There
are a lot of companies out there that are not making cyber security
a priority."
Teixeira said recurring awareness programs highlighting new
technologies and new threats are paramount to protecting corporate
data and ensuring that end users adhere to best security practices.
Adding mobile devices into the fold only increases that need.
"They shouldn't take cyber security any less seriously on a
mobile device," he said.
NCSA's goal is to teach companies that mobile security is a
twofold process. First, it should be approached with technology
such as encryption and password protection, then with education to
make sure that safe practices are being followed.
"Take a holistic approach," Teixeira said. "You need the right mix
of technologies and the right level of awareness. And mobile
devices add that extra dimension that expands the landscape."
Though the lack of security agreements in many companies is
particularly startling, Teixeira said, pretty much every result
found by the study shows him that the road to mobile security is an
uphill climb.
"All of it, in my perspective, is severe," he said. "All of
these behaviors open a business to a possible data breach. But all
of it together speaks to a lack of awareness. Users don't know
their role in cyber security. While IT focuses on the technology
side, they need to start off from day one making sure the employees
understand how important they are to cyber security."
Teixeira said most of the study's findings are "staggering and
disheartening," but he added that by having mobile workers sign a
security agreement and offering recurring awareness training
sessions, companies can get ahead of the curve and better protect
data and end users.
"Part of the problem does fall on the employee," he said, "but
both the employee and the business are responsible for creating a
culture of security."
Teixeira made the following suggestions to enhance mobile
security:
- Use effective passwords that are changed every 90 days
- Update antivirus and anti-spyware programs regularly
- Download necessary patches to the operating systems
regularly
- Create backups of all important data files
- Encrypt sensitive data
- Have an emergency response plan for mobile and wireless
security breaches
- Marry proactive education with proper technology that protects
network, mobile and wireless connections both inside and outside
the corporate environment. That includes wired and wireless
security infrastructure, incorporating VPNs, device and endpoint
protection, intrusion detection, admission control and effective
management.
Cisco's Kost said even though the study found many risky
end-user behavior trends, it can also act as a wake-up call for IT
to play a more active and strategic role in protecting employees
and overall business through education and technology
solutions.
"End users don't perceive their behavior as risky activity," he
said.
Jeff Platon, Cisco's vice president of security solutions, noted
that hope is not lost, despite some of the more startling
findings.
"What's key is knowing that the issues outlined in this study
can be addressed," he said. "Technology is important in helping to
resolve security issues for wireless mobile users, but education
and communication are proactive measures IT can take to help
address corporate security and generate greater ROI on their
investments. IT should be a strategic asset to the business --
enabling business process transformation and unlocking the power of
collaboration. As more workers become mobile, proactively educating
them to practice good security behavior should be a key tenet of
any business's approach to IT security and risk management."