[ISN] Study: Lax laptop policies create security concerns

From: InfoSec News (isn@private)
Date: Tue Nov 02 2004 - 00:52:04 PST


http://www.computerworld.com/securitytopics/security/story/0,10801,97094,00.html

By John E. Dunn
NOVEMBER 01, 2004 
TECHWORLD.COM

Company laptops are routinely used to download music and video, access
porn, and do online shopping, a new Europe-wide survey has revealed.

So big has the problem become that laptops returning to company
networks after their travels are now one of the biggest security
hazards faced by many companies. Despite this, 70% of companies
questioned offered no written guidance to employees on the use of
their machines, and only a quarter imposed technological restrictions.

The survey of employees in 500 companies across the U.K., the
Netherlands, Germany, France, and Italy on behalf of Websense Inc.,
uncovered the tendency of many employees to treat laptops as
unofficial personal possessions. The crimes of the mobile workforce
are various but include picking up spyware, downloading non-approved
software, surfing porn sites, and generally treating the issue of
security as a minor concern.

Forty-six percent allowed people outside of work to use their
machines. And board level employees were no better than workers at
other levels of the organization, with 54% admitting any one of a
number of hazardous activities such as downloading non-approved
software. The U.K. scored at or near the top on most measures of risky
behavior.

"I don't know if it's a lack of awareness or that they [companies] are
focused on security from within the network," said Mark Murtagh of
Websense. "They are looking at the traditional threat of viruses but
not doing a good job of protecting against the evolving threats."

Part of the problem was widespread ignorance of the risks of laptop
use -- the survey revealed that only 7% of those asked understood what
spyware was -- coupled to a need to use more technology to lock down
security, he said.

Companies loaded antivirus software but did not yet see the other
types of threat, such as data theft, as critical enough to warrant
further investment.

Solutions to the problem are harder to gauge. At an absolute minimum,
companies should start asking employees to sign up to reasonable-use
guidelines, while IT staff should treat any laptop connecting to the
company network after returning from its travels as a major security
risk. Longer term, it seems likely that software to lock down and
secure laptops will become a standard feature.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Tue Nov 02 2004 - 02:31:58 PST