British workers are the most likely to open dodgy-looking emails than any other developed nation except the Chinese, according to new research by Cisco on the habits of corporate workers.
While only 25% of US workers, 23% of French workers and 28% of Japanese admitted opening suspicious emails, the figure in the UK rose to 45%. Only the Chinese, at 54%, showed a higher level of curiosity.
But although the Brits like to see the message text, they are better disciplined when it comes to opening unsafe attachments or going to websites of dubious origin. Only 3% admitted doing so – far fewer than most other countries. In Japan, 14% opened attachments, followed by India (11%), China (8%), Germany (6%) and Australia (5%). Only 2% of US workers admitted opening attachments or suspicious URLs.
The survey also found an increase in workers using their work computers for personal use, such as shopping. In the UK, 43% of respondents said their company had no objection to them doing so.
It seems also that the lines between work and home computers are blurring, with a greater proportion of remote workers using personal devices to access work files, and work devices to access personal files than they did in 2006. That trend seems to be strongest in China and the US.
"What we are seeing here is some risky behaviour," said Patrick Gray, a security strategist with Cisco, and a former member of the FBI and National Security Agency in the US. "We have more remote workers, and we are blurring the lines between personal and corporate assets. And with Web 2.0, everyone has hopped on the bandwagon of socialising with people around the world."
He said a lot of people at work feel comfortable because they believe their PCs are locked down tightly. "But with the threat vectors changing we need to take a look at how to tackle them," he said.
He said that from his own research, he saw hackers from around the world starting to use stealth tactics to get into networks and steal intellectual property. "Why pay millions in research and development when you can steal the information? We are not worrying enough about the risk to our corporate assets, and that is what really frightens me,"" said Gray.
He added that poor security procedures were allowing hackers to penetrate networks. "Once inside, they escalate their privileges to become basically an unpaid systems administrator. Then they grab the corporate data and piecemeal it out very slowly, so that we don't even know that they've been there." He also predicted that the upcoming Beijing Olympics would provide a fertile time for fraudsters trying to launch phishing attacks and lure users into lowering their guard.
Jim Mulheron, business development director at The Security Company, a consultancy, said that users would always be a weak link in security. "Technology and procedures can only do so much. You need to impose a cultural and behavioural change in the organisation so that people understand the implications as to their own vulnerabilities."
He said people had to be made aware of the potential repercussions of any mistake or a "moment's lack of thought". And for compliance purposes, he said, organisations also need to be able to show they provide users with adequate training and information, so that they can prove good practice in the event of a security breach.