Remote worker security still lax

An annual study by Cisco finds that remote workers have greater awareness of potential security risks but still have not eliminated risky behavior

Despite having a greater awareness of the security risks posed by careless computing habits and personal Internet activity carried out on corporate laptops, many remote workers continue to do things that imperil the safety of themselves and their employers, according to a new report from Cisco.

As part of its annual study on the security awareness and online behavior of remote workers -- based on interviews with 2,000 telecommuters carried out by researchers from InsightExpress -- Cisco experts said that people appear to have acquired a false sense of security when it comes to the use of their company-issued computers and other corporate IT assets.

Despite the fact that the IT security community has done a much better job in recent years of keeping people informed of the latest and greatest malware attacks and social engineering schemes, remote workers keep falling for the same types of tricks as they always have -- in part because they believe that they are now protected by more advanced security technologies, said Patrick Gray, special assistant to the CTO at Cisco.

In fact, in just one year's time, the number of respondents to the survey who expressed a belief that the Internet is "getting safer" increased from 48 percent 12 months ago to more than 56 percent in 2008. The trend was particularly evident in some parts of the world where Internet use is growing the fastest, and where people believe that their governments are going to greater lengths to protect individual users, such as Brazil (71 percent), India (68 percent), and China (64 percent). In Brazil, for instance, where banking-password stealing Trojan virus attacks have finally been thwarted by stricter legal penalties for those creating the threats, people may falsely assume that it is now safe to let down their guard, according to Gray.

"The awareness of security threats has grown across the board, but somehow, because of that, we do see the emergence of this false sense of security," said Gray. "Companies have done a great job of securing themselves at the perimeter, but where they're really falling down is with what is going on within their own networks and what is going outbound. They are blocking a lot more potential threats, but there's a lot of risky behavior on their networks as well."

One of the biggest problems contributing to the situation is the fact that many workers feel it is acceptable for them to use their work computers for their personal activities, such as shopping, interacting with friends, and searching the Web for popular information, the expert maintains.

By using their company-issued devices to head to corners of the Internet where attacks are more prevalent -- such as on e-commerce sites, social-networking portals, and independent Web properties, workers are putting their employers at risk of exploit by malware and other threats, he said.

The report found a 3 percent year-over-year increase in terms of the number of remote workers who felt that it was acceptable to use their corporate devices for personal use, such as Internet shopping, downloading music, and social collaboration.

Business versus personal use
With the rise in attacks being delivered via hacked Web sites and popular destinations including social-networking sites, people need to begin shifting their behavior and keeping their work machines separate from their personal lives, Gray contends.

"At end of day it's not their computer, it's a business tool, and people need to understand how much risk their activity poses for their employers, and that they need some level of separation in terms of their personal use," he said. "Companies may not want people going to the mall in the middle of the day when they could be doing work, but they might not want to allow them to use business tools to do things like e-commerce either."

IT workers participating in the study also highlighted the issue with 55 percent indicating their belief that their companies' remote workers are becoming less diligent toward security awareness, an 11 percent increase from the year before.

In addition to the growing number of threats being hosted on social-networking sites such as MySpace, Gray said that the personal data that people share about themselves and their employers on the sites poses a significant risk for the creation of targeted attacks.

If an attacker can go to a site like LinkedIn and get a firm grasp on someone's role in an organization and figure out who they might communicate with in the firm, it could be fairly easy for them to create an attack that easily tricks the individual into opening an infected e-mail, according to the expert.

However, it would appear that even suspicious e-mail arriving from unknown senders, long the favorite delivery channel for malware and links to phishing sites, continues to stand as a problem.

While the numbers of workers in the United States who are willing to open strange e-mails and attachments is far lower at 27 percent than in places like China (62 percent) and even the United Kingdom (48 percent), many people are still capable of falling for the time-honored ruse.

In one interesting twist on the issue of corporate device use, Cisco's report found that more people than ever are also using personal devices that are not under the control or management of their IT departments to access their companies' networks and electronic files. Some 49 percent of those people responding to the survey admitted using their own machines to do so, an increase from 46 percent one year ago.

Perhaps the only way to improve the situation will be for companies to enact stricter usage policies for their remote works regarding corporate-owned devices and embracing continued education for end-users about the nature and prevalence of threats, Cisco officials maintain.

"We need to continue to highlight the problems; companies are doing a much better job than they used to, but with all the blended threats, they need to reload and strengthen the human firewall, which is really the last line of defense," Gray said. "The companies that do the best job have ongoing continuing education for users that tells them that their computer is a business tool and who use monitoring tools to ensure that their security policies are being followed."