http://www.forbes.com/technology/2007/08/30/behavior-employees-vulnerable-tech-cx_ag_0830secure.html By Andy Greenberg Forbes.com 08.30.07 When the Anna Kournikova virus was spreading wildly in 2001, it infected millions of computers and clogged e-mail servers by offering a racy picture of the teen tennis star to unsuspecting e-mailers. Or, in some cases, not so unsuspecting. "A big proportion of the infections we saw were coming from people who had actually gone out searching for the virus because they wanted to see Anna Kournikova," says David Perry, global director of education for Trend Micro. "We didn't see this happening two times. We saw it thousands of times." Today, some security professionals say, enterprise computer users haven't gotten much savvier. Perry says he still sees as many as one in five virus infections coming from users who purposefully infect themselves out of curiosity, just one of the many practices that undermine information technology security with varying combinations of naivet and carelessness. And as cyber-criminals become more sophisticated and networks more intricately connected, that human element leaves companies vulnerable to data leaks and intrusion in spite of billions spent on electronic protections. IT managers, for their part, are wising up to the importance of security. In fact, they plan to spend 20% more on preventing data theft and intrusion in the next year, according to research by the market analysis firm InsightExpress. At the same time, about 30% of non-IT corporate employees violate the terms of security agreements they sign, according to another study performed by the firm, which surveyed hundreds of professionals in seven countries around the world. The second study, commissioned by Cisco Systems (nasdaq: CSCO - news - people ) and the National Cyber Security Alliance, also shows that more than 60% of employees sometimes use mobile devices without encrypted or password-protected data to connect to their work's network, and more than a third sometimes work by piggybacking on strangers' wireless Internet connections. "The human element is always the most insecure," says Jennifer Granick, executive director of Stanford's Center for Internet and Society. But she argues that the problem isn't employees who are stupid or even apathetic. She blames companies that make unrealistic demands without providing secure ways to meet those expectations. "There's this pressure to be on call outside of the office, either at your house or while you're on vacation," she says. "That creates an incentive to skimp on security." When employees connect to an unsecured wireless network in a coffee shop or in their home, they expose all the data they're working on to the whims of whoever else controls the router. Since 2005, security researchers have warned of the threat of "evil twins," computers set up to appear as routers and intercept sensitive data. A more common problem is workers who transfer corporate e-mail to third-party Webmail services like Gmail. Workers often prefer a Gmail or Yahoo! Mail account because of its universal accessibility and convenient interface. But using those services means confidential data is stored on someone else's servers, where it can be exposed to anyone who subpoenas it from Google (nasdaq: GOOG - news - people ) or Yahoo!. "If you're forwarding corporate secrets with Gmail, you should be aware you're sending them to Google," Granick says. "And when you put your data in someone else's hands, you can't be sure how they're going to treat it." As mobile technology unties workers from their offices, they engage in significantly more risky behavior, according to a study released Tuesday by Trend Micro. By their count, U.S. and U.K. workers on corporate laptops are more than twice as likely, compared with desktop users, to send confidential info by instant message, and about a third more likely to send confidential data across Webmail. American laptop users are also doubly inclined to download music and movies to corporate machines, making them more likely to unwittingly install hidden malicious software. But the real problem behind employees' insecure practices, says Trend Micro's Perry, doesn't stem from any single trend. He cites Future Shock, Alvin Toffler's 1970 book, which introduced the idea that humans simply aren't emotionally prepared for the pace of technological change. "Computer users aren't stupid," he says. "But there's a kind of cognitive dissonance. We have a hard time understanding that all our most sensitive materials are now ones and zeros." In Pictures: Seven Habits Of Highly Insecure People http://www.forbes.com/2007/08/30/behavior-employees-vulnerable-tech-cx_ag_0830secure_slide_2.html?thisSpeed=25000 ____________________________________ Attend HITBSecConf2007 - Malaysia Taking place September 3-6 2007 featuring seven tracks of technical training and a dual-track security conference with keynote speakers Lance Spitzner and Mikko Hypponen! - Book your seats today! http://conference.hitb.org/hitbsecconf2007kl/
This archive was generated by hypermail 2.1.3 : Thu Aug 30 2007 - 23:48:11 PDT