Security Awareness Research 5 November 2010

Transcription

1 Security Awareness Research 5 November % of data breaches happen as a result of frustrations with IT security policy restricting employees from doing their job

2 Foreword I am delighted to introduce this global research project which Clearswift has undertaken to examine IT security policies within businesses. This report follows on from the hugely successful series of reports published in April 2010 examining corporate attitudes towards Web 2.0 technologies, and the use of such tools in the workplace. Richard Turner Chief Executive The results of the original research illustrated a significant mind shift amongst businesses, making it clear that businesses now accept that Web 2.0 and other collaborative technologies are critical to the future success of their company. But as the corporate IT landscape becomes ever more complex, undergoing rapid changes as a result of the impact that Web 2.0 technologies have had, how prepared are companies, and more importantly, their staff, to cope with the ensuing security challenges? This new research moves on to examine attitudes towards IT policies in companies around the world, and the results are both fascinating and thought-provoking. One particularly interesting finding is the apparent lack of training of employees when it comes to IT policies many staff report only receiving training when they first join a company, and with technology changing so rapidly, this clearly isn t ideal. The reality is that staff can be a vital component for safeguarding data and information security within a business. Ensuring staff know and understand policies can be a huge advantage to companies. IT security companies have for too long made a living out of making their customers feel insecure, trading on fear and negativity to maximise profit. It is clear to me that in order to be more secure, companies must first stop feeling insecure. My overarching message as a result of this report is simple IT security must be brought out of the dark depths of the IT department and given clarity across the organisation. By having a relevant and current security policy in place, a company is enabling its employees to get on with the jobs that they need to do and aiding productivity and innovation.

3 Key Stats 71% of office workers say company has clear Internet policy that most employees understand 50% of office workers have discussed Internet policy with colleagues in the last 12 months, but only 29% have received training on the subject during this time 22% do not know if their Internet use is monitored at work Only 15% of office workers are concerned that they may be inadvertently breaching security policy but security breaches are most likely to be attributed to ignorance / lack of understanding (63%) Results of the Clearswift Security Awareness Survey are based on 2000 online interviews with office workers in UK, USA, Australia, Germany and Netherlands. The research was conducted by Loudhouse, an independent market research consultancy based in London Summary As technology for sharing information becomes more and more embedded in our lives, it becomes more and more important for those with access to data in the workplace to understand what uses of data are permitted and which activities may be putting data at risk. The Clearswift Security Awareness Survey explores the extent to which office workers understand the data security implications of their day-to-day activities and highlights an interesting data security phenomenon amongst office workers. It appears that employees in office environments have a misplaced confidence in their own levels of understanding and are not always equipped with the knowledge they need to keep data safe. As such, data security can be regarded as an unknown unknown workers who think they understand data protection are not aware that they need more information and guidance. Overconfidence can therefore be seen as the main data protection hazard in today s office environments. Employees are confident that they understand what is safe and what is permitted, which is leading many to take a casual attitude toward IT generally, often freestyling and blindly moving data from place to place without consideration of potential security risks. This situation is being compounded by the fact there is a lack of consistent communication about security policy, and consequently many office workers do not understand it fully. Despite the fact that the majority of office workers in this survey consider themselves to be risk-averse, individually and collectively they are inadvertently leaving their employers exposed to data security risks. In order to drive best practice in data security, Clearswift advises employers to actively engage their employees in a dialogue about security, responsibility, and risk. technology for sharing information becomes more and more embedded in our lives

4 Policy in practice With Internet use a ubiquitous part of working life for many, it is not surprising that most employers now have internet policies in place. Indeed, 71% claim that not only does their employer have such a policy, but that most of their fellow employees understand the policy which is in place. Only 20% say their company has no official policy at all. Furthermore, these policies for the most part are considered by employees to be fair and comprehensible only 10% see their employers rules as unfair, and only 8% feel employer policy makes no sense. Despite the existence of Internet policies and high reported levels of understanding of such policies amongst office workers, formalised communications around Internet policies are non-existent at worst, patchy at best. Whilst Internet use policy may be a topic of water cooler conversation, Figure 2 shows that half of office workers (50%) have had a conversation about Internet use policy in the last 12 months. In contrast, only 29% have had a dedicated training session on the policy within that time, and only 14% have raised a query to see if something they were doing was permitted under company policy. Indeed, half of respondents have never had a dedicated training session on their current company s security policy. Indeed, 38% have had no training at all about security issues in their current job (whether in a dedicated session or otherwise.) This suggests that even those who have had some training (at an induction or a scheduled session), are not provided with up-to-date information as they move through their organisations. Employees feel that their companies are being proactive about security 58% believe that their employer proactively encourages employees to understand and implement the policies they have, and generally see the policies as well-intentioned, but it is clear that the gap between good intentions and concrete action is large for many employers. Figure 1: Existence and understanding of company Internet policy Figure 2: Communication about Internet security Company has clear Internet policy / most employees do not understand policy, 9% Company has guidelines on Internet use but not enforced policy, 17% Company has no policy / guidelines on employee Internet use, 3% % in last 12 months... Discussed Internet use policy with colleagues 50% Received info about company security policies via Started using new software or hardware tools at work Have had dedicated training session on company security policy Consulted IT support about issue involving security tools Raised query about whether something I did online permitted under company s policy Warned informally by manager/colleague that something I did online might not be permitted 8% 14% 29% 28% 49% 46% Company has clear Internet policy / most or all employees understand policy, 71% employees understand the policy which is in place

5 Compliance confusion The majority of office workers claim general understanding of their employers internet policies, but many still experience confusion about aspects of that policy. Monitoring of internet use at work is the largest area of confusion: 21% say that their employer s electronic monitoring is the single most confusing aspect of using the internet at work. Figure 3 shows that over 1 in 5 office workers (22%) does not know if their internet use is being monitored at work. Of those (57%) who know that their internet use at work is monitored, 38% feel that their employer accesses information about personal internet use more than is necessary to maintain security. As one respondent put it No-one knows exactly who sees the Internet activity and what sort of information is on the reports, how often it is looked at and shared. Levels of office worker understanding of data security issues are shown in Figure 4. Confidence is highest in understanding what data can be sent via (79% are confident), what it is okay to do on work related social media (65%) and lower for understanding the security on work (52%). Other areas of employee data security confusion relate to the following: Who has access to data about my Internet use at work What data I can share with people in other functions and departments What data I am allowed to share outside work What I can say about work to others Who I can communicate with when I am at work Figure 3: Internet monitoring at work My use of the Internet at work is monitored electronically by my employer Don t know, 22% Figure 4: Employee confidence around data security issues Extremely confident Confident Neutral Not very confident Not at all confident No, 21% Yes, 57%...what data loss prevention means in the context of my work...the security on my work - if I make a mistake, the software will prevent incorrect use of data...what my company can see when I use personal or social media at work...what it is OK to do on work-related social media (work accounts on Facebook, Twitter, etc.)...what data can be sent via 34% 27% 25% 8% 27% 25% 30% 10% 9% 35% 24% 24% 9% 7% 42% 23% 18% 7% 8% 48% 31% 16% 3% 38% feel employer doesn t access information about personal online activity more than necessary to maintain security 1 in 5 (22%) feel employer accesses personal online activity more than necessary to maintain security Monitoring of internet use at work is the largest area of confusion

6 Casual compliance Interestingly, although personal levels of data security confidence are high only 15% of office workers are concerned that they may be inadvertently breaching company security policy through their use of the Internet - 63% of office workers attribute most security breaches to ignorance or a lack of understanding [Figure 5]. It seems therefore that office workers have a tendency to rate their own level of understanding of data security issues as higher than everyone else s! It is also worth noting that 1 in 5 people think security breaches occur in order to get jobs done efficiently or effectively, whilst 11% think they are down to frustrations with unrealistic IT security policy. Part of the problem appears to stem from an attitude of casual compliance. Office communications can be likened to a game of Chinese whispers with half of office workers (50%) reporting that there are informal rules about the internet at work, and that most people understand what s acceptable, regardless of what the official policy says [Figure 6]. Without training and consistent, up-to-date communication on company policy, lines between these informal standards and actual policy are being blurred and company data is being left exposed. With only 27% of office workers thinking that their company could be better at communicating its online security policy, it seems that security is off the radar for many people and not a top-of-mind concern in their day-to-day rush to get their jobs done. Patchy levels of confidence around data security issues only serve to paint a picture of misplaced confidence amongst both employees and employer and to highlight the need for security policy to be more fully and more frequently communicated by employers. Figure 5: Reason why IT security gets breached Figure 6: Casual compliance amongst office workers % agreeing (rating 4 or 5) Malicious intent 6% Frustrations with unrealistic IT security policy 11% I am confident that I understand my employer s policies about online activity I feel I understand which parts of my at-work internet use are visible to my employer There are informal rules about the Internet at my work - people know what s okay regardless of what the official policy says My company could be better at communicating its online security policy I am concerned that I may be inadvertently breaching company security policy through my use of the Internet 15% 27% 50% 56% 74% To get their jobs done more efficiently / effectively 20% Ignorance / lack of understanding 63% 1 in 5 people think security breaches occur in order to get jobs done efficiently or effectively

7 IT free-styling Office workers around the world are using a range of technologies in order to do their jobs and manage their personal lives. The boundaries between work and home use and appropriate and inappropriate use of technology are ever-shifting and essentially unclear. Figure 5 shows just some examples of where office workers are essentially IT free-styling, applying their own rules to technology use, regardless of what official policy says. 44% of office workers report storing data at work on personal memory devices, 39% download software to their computer at work and 25% use personal accounts on social networks to comment about their job. As one respondent put it I access my personal accounts and also do shopping during my lunch hour. I m hoping that no-one can see my card details or read my s. Most of the online activity during the day is likely personal, since only 14% use social media for work purposes (i.e., contributing to Facebook, Twitter, LinkedIn, or another social site as part of their job descriptions). still dominates work communication, and much of this is hosted in the cloud, raising security issues of which employees may not be aware. 74% frequently use and other web-based mediums to communicate with customers or clients about business. In short, office workers are using a variety of technologies, at varying levels of risk on a regular basis. The fact that office workers remain confident that they are compliant with data security policy in the absence of formalised training around such issues is a cause for concern. This situation is clearly untenable in the long term as data protection threats become more diverse and sophisticated, technology becomes more mobile and the lines between personal and work lives continue to blur. Figure 7: Examples of IT freestyling % doing at work at least sometimes Store data on work memory devices 46% Store data on personal memory devices 44% Download software to my computer Use personal accounts on social networks to comment about my job Use social networking sites in a professional capacity 25% 23% 39% Use media sharing sites in a professional capacity 20% office workers are essentially IT free-styling

8 Summing up It is clear that, whilst employees are confident that they understand their employers security policies this confidence is often unwarranted. Knowledge is too often transmitted informally, through conversations between employees, and hardened into informal guidelines that can supersede actual data protection policies in the absence of training. IT freestyling blurs the lines between personal and work technology, creating risks as sensitive work data is stored on personal USB sticks and personal information feeds through work laptops. This situation is risky in the long run, to both employers (who may suffer the consequences when workers break the rules) and to employees (who may inadvertently be revealing personal information through workplace monitoring or opening themselves up to career risk.) There are high levels of goodwill within organisations, however, and this creates the chance for outreach to close the security gap. The most forward-thinking organisations will need to close security gaps by acting on two problems at once. Technological solutions can help keep data under control, by automating enforcement and limiting risk. More regular training is needed alongside these solutions however, if employees are to feel confident about acting to protect sensitive data at work. Contact Clearswift United States Clearswift Corporation 161 Gaither Drive Centerpointe Suite 101Mt. Laurel, NJ Tel: Fax : United Kingdom 1310 Waterside, Arlington Business Park, Theale, Reading, Berkshire, RG7 4SA Tel: +44 (0) Fax: +44 (0) Australia Level 5, Suite 504, 165 Walker Street, North Sydney, New South Wales, 2060 Tel : Fax : Spain Cerro de los Gamos 1, Edif Pozuelo de Alarcón, Madrid Tel: / Fax: Germany Amsinckstrasse 67, Hamburg Tel: Fax: Japan Hanai Bldg. 7F, 1-2-9, Shiba Kouen Minato-ku Tokyo Tel : +81 (3) Fax : +81 (3)