ACN cybersec survey exposes alarming user practices
Regional orgs left vulnerable by employees’ digital naivety
An alarming number of GCC users participate in non-work activities on their devices while at the office, contributing to the overall vulnerability of corporate networks to cyber attack, according to the Arabian Computer News IT Security Behaviour Survey 2014.
The survey, conducted through ITP.net between April and May this year, sought to paint a clear picture of regional employees' activities with regard to cyber security best practices.
The most common practices are checking personal email (66%); browsing websites not directly related to work (59%); conducting online payments and financial transactions related to personal affairs (56%); and visiting social network sites such as Facebook (46%).
Twenty-nine per cent said they watched streaming video or listened to streaming music and 27% admitted to having made a non-business online purchase. Others even downloaded music or video (11%) and others (11%) said they had participated in online gaming while at the office.
"The survey results portray that users at large do use IT assets at work for personal use, mainly accessing personal emails, accessing personal online banking or browsing websites not related to work," said Ravi Patil, technical director, Mediterranean, Middle East and Africa, Trend Micro. "This poses a huge security challenge to companies as it opens up an infection channel for the malware writers to penetrate the company network."
Nicolai Solling, director of technology services at Help AG, said the highlighted behaviours could be prevented if organisations invested in software solutions to help control bad habits.
"It is interesting to see that despite the number of monitoring and access control tools available in the market, we still see so many employees engaging in these activities," he lamented. "It is clearly an indication of the lack of control companies have over their employees' usage of the Internet. Here I am not speaking primarily from a productivity perspective, but some of the behavior that is described can cause serious risks to an organisation, which again can cause financial losses."
Continues on next page>>
Solling also pointed out another risk to regional enterprises that came about through lack of monitoring of such activities: that of exposure to litigation.
"While it may seem as just another employee benefit to allow uncontrolled Internet access, the price for the company can be very hefty if that access brings in malware, a Trojan or a virus, and can even lead to a scenario wherein the company becomes the target of a lawsuit for illegal use of the Internet, [in the case of] music and movie downloads."
The underlying concern surrounding cyber breaches is the exposure of data to unauthorised eyes. Security of corporate data was quite lax among those polled as over a third (36%) of users admitted to having saved company data on a USB stick or other external media to use elsewhere. Twenty-three per cent sent an email attachment to a non-work email address and 22% used a file-sharing service to transmit company files. Thirteen per cent transferred data directly to a mobile device.
Solling again cited properly configured security solutions as a way to prevent the misuse of proprietary data and suggested policy frameworks needed to be implemented along with software tools.
"Quite often bad behaviour of a user is merely an example of a company's security products and procedures not being aligned with the business requirements and policies of the organisation," he commented. "When dealing with any project around policies and procedures, it is important to understand how a business works and the processes around it and then align your solutions to support this. I actually think that most business e-mails that are sent to private mail addresses are because of limitations of functionality or something as simple as a file size, which causes bad user behavior."
Continues on next page>>
Paul Wright is manager of the professional services and investigation team, Middle East, India and Africa at AccessData and a former UK law enforcement professional. Wright spent the last 10 years of his detective career specialising in Internet, network and computer investigations. He also advised tight monitoring of these behaviours using appropriate software solutions.
"During multiple investigations I have seen extensive misuse of organisation assets; as a consequence I have recommended [those organisations] to monitor their network traffic so they can establish network baselines [and] be efficient in identifying misuse and abuse of their assets and systems," he said.
Megha Kumar, research manager, Software, International Data Corporation (IDC), agreed and advised: "[Organisations should look] at automating security management especially around things like transferring data onto a USB or uploading to a share service."
The survey also posed questions on potentially hazardous practices that users have adopted. It was common among respondents, for instance, to leave a logged-on PC unattended, with a quarter (25%) reporting they had done this. Some 20% had opened an email attachment that had come from an unknown source; 17% had opened a spam message; and 11% had followed a hyper link in an email from an unknown source. Password security in the region was also exposed as a small number (6%) of users said they had shared their password with someone else.
"Leaving a logged-on PC unattended should be enforced by a policy which mitigates these risks," Solling insisted. "[And] why do users receive spam in this day an age where we have effective solutions to fight spam? IT is complex for the average user, and we cannot rely solely on the common sense of the individual to perform the correct choices to avoid risks."
ITP.net will release the full results of the Arabian Computer News IT Security survey tomorrow.