Survey: Insider carelessness cause of most security threats (12/11)
"The plain fact of the matter is, a simple thing that we might not be aware of can expose risk," said Sam Curry, vice president of product management and marketing at Bedford, Mass.-based RSA, the security division of EMC Corp. that released the survey Monday. "In some cases, the bad guys are looking for those. There are certain social human behaviors that the bad guy can watch for and exploit."
The "person on the street" survey, conducted in November, anonymously polled government and enterprise workers in Boston and Washington D.C. in an effort to assess everyday behavior that had the potential to compromise security and put sensitive information at risk. While seemingly harmless or well-intended, these behaviors can subsequently initiate data exposure of extraordinary proportions, resulting in enormous financial loss.
"The real assets are data assets. It's all about information. Really what we've got to do is minimize risk around information," said Curry. "The bad guys are into fraud. They're very well funded, and they are extremely motivated to make money. You can reduce a lot of risk by taking away the innocent mistakes."
Some of these innocent mistakes are committed by individuals who circumvent security regulations just to get their jobs done. While the survey found that most companies provide training on security best practices, about 35 percent of respondents felt that they needed to work around their company's established security policies just to complete their job-related duties. In addition, 63 percent of respondents said that they frequently or sometimes sent work documents to their personal email address so they could complete their tasks at home, and more than half said that they have accessed their work email from a public computer.
Changing insider roles also played a large part in compromising security. An overwhelming majority â€” 72 percent â€” reported that their company or organization employs temporary workers or contractors who require access to sensitive information and systems. Almost a quarter of respondents polled said they stumbled into an area of their corporate network to which they should not have had access, and 33 percent said they still had access to old accounts or resources after switching jobs internally.
At other times, trusting workers literally hold the door wide open for perpetrators. More than a third of respondents said they have opened a secured door for someone they didn't recognize at work, while 40 percent of workers said that someone else they didn't know let them into their building after they had forgotten their access card or key. And of the two-thirds of respondents that said their company provides a wireless network, 19 percent said that access was completely open, with no login credentials required.