Common staff mistakes can lead to data leaks

With more and more reports emerging regarding the loss of sensitive data, a security study has identified the most common mistakes made by staff which can lead to data leaks.

The Cisco global security study was carried out by InsightExpress, and it surveyed a 1,000 IT professionals and 1,000 employees across ten different countries (U.S., the U.K., France, Germany, Italy, Japan, China, India, Australia and Brazil), in order to evaluate security and data leakage implications, as more and more businesses shift from centralized offices, to more distributed and remote workforces (a process that Cisco is heavily backing).

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

"There were a couple of surprises in the study," admitted John N. Stewart, chief security officer at Cisco during a video briefing to discuss the study. "Even in today's day and age, you can surprised by the most basic security lapses."

"Companies must realize that in a down economy, people are busy providing for their families first, then their communities, and then their businesses," he added. He suggested that companies should have funds available to help staff in financial difficulties, to remove the temptation for them to steal company secrets for profit.

The study identified a number of key behavioral findings, none of which will come as much of a surprise for today's IT professionals.

One of the most common issues is from users adjusting their security settings. No real surprise here, but the study found one in five staff have altered their security settings on their work machines so as to access unauthorized websites. When asked why, 52 percent said they simply wanted to access the site, whereas a third said it was "it's no one's business".

And users it seems are still accessing unauthorized applications, with seven out 10 IT professionals admitting that staff accessing unauthorized applications and websites (such as social media sites), has resulted in as many as half of their companies' data loss incidents.

And an age old problem still occurs with alarming regularity, after a worrying 24 percent of staff admitted to verbally sharing sensitive corporate with outsiders, including friends, family, and even strangers. When asked why, some of the most common answers included, "I needed to bounce an idea off someone", "I needed to vent", and "I did not see anything wrong with it."

Other bad behavior identified include unauthorized network/facility access (two of five IT professionals said they had dealt with staff accessing unauthorized parts of a network or facility in the past 12 months); sharing corporate devices (44 percent of staff said they share their work devices with other non-work people, without supervision); and two out three staff admit to using computers daily for personal use (including music downloads, shopping, banking, blogging etc).

And even basic security precautions are being ignored, with at least one in three employees leaving their computers logged on and unlocked when they're away from their desk (and they also tend to leave laptops on their desks overnight, sometimes without logging off).