Workers and other insiders admit to risky behavior -- such as accessing corporate e-mail from Wi-Fi hotspots -- in a survey by security firm RSA.
The people inside an organization represent its greatest security risk.
That's according to a report (pdf) released on Monday by RSA, the security division of enterprise storage company EMC.
RSA said that the survey was fielded in November and consisted of 126 person-on-the-street interviews (using questionnaires) of government and corporate office workers in Boston and Washington, D.C.
"The findings of the survey underscore that the threat posed to data by well-meaning insiders -- employees, contractors, suppliers, partners, visitors, and consultants who have physical and/or logical access to organizational assets -- greatly broadens that posed by malicious insiders who deliberately leak sensitive data for personal financial gain or other criminal purposes," the report states.
The recent 2007 SANS Top 20, a list of the year's most significant security risks, also noted that computer users tended to be the weakest link in the computer security chain.
What sort of risky behavior are office workers engaging in? Some 52% said they sometimes or frequently accessed work-related e-mail via a public computer, such as a might be found at a Internet cafe, hotel, or airport. And 56% sometimes or frequently accessed work-related e-mail through a wireless hotspot.
Asked, "Have you ever lost a laptop, smartphone, and/or USB flash drive with corporate information on it?", 8% said they had.
And 63% of respondents indicated that they sometimes or frequently send corporate documents to a personal e-mail address in order to work on them at home.
While the RSA report suggests that additional security technology can mitigate these risks -- RSA is in the business of selling such things, after all -- it also acknowledges that the blame for users' disregarding security policies belongs in part with the creators of those policies.
"Organizations can mitigate this risk by developing information-centric policies that acknowledge and align with the needs and realities of the business," the report says. "Once such policies are in place, companies should constantly measure actual user behavior against established policy and use what they learn to inform smart policy changes that minimize risk and maximize business productivity. When security is as convenient as possible for end users, they are less likely to work around security policy."
And the fact is that for many workers, corporate security policies are either not convenient or are poorly understood. About 35% of respondents said that they felt they needed to work around corporate security policies to get their jobs done.
Sam Curry, VP of product management at RSA, said that the survey respondents were "innocent people working hard to do their jobs" and risks arising from their willful or accidental contravention of corporate policy weren't the product of malice. "Security procedures need to be in touch with the realities of human behavior," he said.
Curry stressed the need for user education, to make workers aware of the consequences of their actions. And he also said that organizations needed tools to monitor employee behavior to understand the gaps between policy and worker behavior. Said Curry, "Organizations need visibility into how people actually behave."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.