[ISN] Office workers give away passwords for a cheap pen

From: InfoSec News (isnat_private)
Date: Mon Apr 21 2003 - 00:50:41 PDT

  • Next message: Ron DuFresne: "RE: [Full-Disclosure] RE: [ISN] DARPA pulls OpenBSD funding"

    http://www.theregister.co.uk/content/55/30324.html
    
    By John Leyden
    Posted: 17/04/2003
    
    Workers are prepared to give away their passwords for a cheap pen, 
    according to a somewhat unscientific - but still illuminating - survey 
    published today. 
    
    The second annual survey into office scruples, conducted by the people 
    organising this month's InfoSecurity Europe 2003 conference, found 
    that office workers have learnt very little about IT security in the 
    past year. 
    
    If anything, people are even more lax about security than they were a 
    year ago, the survey found. 
    
    Nine in ten (90 per cent) of office workers at London's Waterloo 
    Station gave away their computer password for a cheap pen, compared 
    with 65 per cent last year. 
    
    Men were slightly more likely to reveal their password with 95 per 
    cent of blokes, compared to 85 per cent of women quizzed, prepared to 
    hand over their password on request. 
    
    The survey also found the majority of workers (80 per cent) would take 
    confidential information with them when they change jobs and would not 
    keep salary details confidential if they came across them. 
    
    If workers came across a file containing everyone's salary details, 75 
    per cent of workers thought they would be unable to resist looking at 
    it, again up from 61 per cent in 2002. A further 38 per cent said they 
    would also pass the information around the office. 
    
    
    Naughty. 
    
    The survey was undertaken by the organisers of Infosecurity Europe 
    2003 in a quest to find out how security conscious workers are with 
    company information stored on computers. 
    
    Workers were asked a series of questions which included: What is your 
    password? Three in four (75 per cent) of people immediately gave their 
    password. 
    
    If they initially refused they were asked which category their 
    password fell into and then asked a further question to find out the 
    password. 
    
    A further 15 percent were then prepared to give over their passwords, 
    after the most rudimentary of social engineering tricks were applied. 
    
    One interviewee said, "I am the CEO, I will not give you my password 
    it could compromise my company's information". 
    
    A good start, but then the company boss blew it. He later said that 
    his password was his daughter's name. 
    
    What is your daughters name the interviewer cheekily asked. 
    
    He replied without thinking: "Tasmin". 
    
    
    D'oh. 
    
    Of the 152 office workers surveyed many explained the origin of their 
    passwords. 
    
    The most common password was "password" (12 per cent) and the most 
    popular category was their own name (16 per cent) followed by their 
    football team (11 per cent) and date of birth (8 per cent). 
    
    Two thirds of workers have given their password to a colleague (the 
    same as last year) and three quarters knew their co-workers passwords. 
    
    In addition to using their password to gain access to their company 
    information two thirds of workers use the same password for 
    everything, including their personal banking, Web site access, etc. 
    
    This makes them more vulnerable to financial fraud, personal data loss 
    or even identity theft, the InfoSecurity team point out. 
    
    Meanwhile two thirds of workers admitted they had emailed colleagues 
    illicit, unsavoury pictures or "dirty jokes", up slightly from 62 per 
    cent in 2002. Men were twice as likely to indulge in this activity 
    with 91 per cent of men sending unsavoury emails compared to only 40 
    per cent of women. 
    
    InfoSecurity's organisers say this behaviour could expose their 
    employer to expensive litigation for sexual discrimination, low morale 
    and even be viewed as allowing bullying. 
    
    Tamar Beck, Director of InfoSecurity Europe 2003, said: "Employees are 
    sometimes just naïve, poorly trained or are not made aware of the 
    security risk. Employers therefore need to create a culture of 
    protecting their information and reputation with policies on 
    information security backed up with training to support the security 
    technology". 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Apr 21 2003 - 02:58:02 PDT