Cisco commissioned a global survey of IT administrators and computer users about their perceptions on data leakage. Not surprisingly, the study found employees use their work computers for personal use and IT knows it.What is surprising is that the attitudes about private company information vary greatly by country, which affects global organizations and those that outsource. You can view the report here.
The report was conducted by research firm Insight Express across 10 countries. In each country, 100 qualified IT administrators and 100 qualified non-IT computer users were selected. Cisco wanted to get the perspectives from both sides of the cube. Insight Express selected the respondents and conducted the survey.
The report overall highlights what we knew already. Employees use work computers for personal use. Who hasn't sent e-mail while at work, chatted with a friend over IM, purchased something while at work, or checked their bank accounts? There are some differences between countries. Users in China and Japan indicate they check personal e-mail from work even though doing so is not approved by IT.
If IT has set controls to stop unauthorized use of company resources, how are employees doing this? Altering security settings is one way. So 14% of all end users -- 42% of respondents in China , 26% in Brazil, and 20% in India -- indicated they had altered their computer settings in order to bypass company policy. If your company is based solely in the United States, count yourself lucky. Only 2% of respondents from the United States said they change security settings. Maybe that's due to the purported lack of technical ability in the States.
Of all the respondents, 52% indicated they wanted to view a Web site regardless of company policy and 35% said what they do on the Internet is none of their company's business. This is one of causes of frustration IT faces daily. No matter how tightly you lock down a system and try to tell employees what is acceptable and unacceptable behavior, a percentage will do what they want if they can.
I know I have declined to help people bypass their IT policies simply on principle. I don't like restrictive IT policies any more than the next person, but IT has a problem -- how to maintain a large number of machines with a limited number of people. One way is to simply stop users from modifying the computers they use. The computer I use for work isn't my computer; it's the company's computer. I also have my own laptop at home that I use, so I don't need to use my work computer.
But I also remember back in the '90s when a lot of people didn't have a PC or an Internet connection at home and used their work equipment for personal use. I recall even back then (and this still happens today) asking IT administrators complaining about users downloading malware from the Internet why they let them have Internet access in the first place. "Well, to get their jobs done!," they'd invariably reply and look at me like I just sprouted a third arm. My response always was the same. I'd ask how many of their people can really justify Internet access as part of their job duties? It was a question they couldn't answer, so instead, they opened the gates and then tried to stop the flood using blocking products that can be bypassed.
Surprisingly, 73% of traveling users take some action to ensure they're not being eavesdropped on while working outside the office. Nearly 50% indicated they monitor their surroundings, 32% said they speak softly on business calls (I wish that number was much higher, given the number of loudmouths walking and talking). Only a paltry 23% indicated they use privacy screens, screens that block the view of the screen off-angle. Think polarized lenses for your laptop.
As someone who isn't shy about shoulder surfing when I'm bored, privacy screens would curtail my in-flight entertainment because leaning over to get a good view would be too obvious. I remember one flight from Vegas to Seattle, I was sitting next to a sales engineer while he worked on his sales reports. I ended up telling a senior VP at the company that they should invest in some privacy screens. I didn't tell him why, though.
There was one point of congruence between users and IT. A little more than 40% of users give others access to their computer and little less than 40% of IT administrators know it.