|
By Michael Eggebrecht
A majority of employees are engaging in activities that place their organization's data at risk, according to a survey conducted by research firm Ponemon Institute.
While 87 percent of respondents said their employer does not allow them to move confidential information outside of the company using USB flash drives, 61 percent admitted to doing so. The survey, which included 967 individuals from a broad cross-section of industries, also found that 52 percent access Web-based e-mail accounts at work, an activity that 83 percent said their organization prohibits.
Fifty-three percent of participants download Internet software onto their work computers, 47 percent share passwords with their co-workers and 21 percent said that, on occasion, they turn off the anti-virus software or firewalls on their desktops or laptops.
The study, issued June 10, was sponsored by IronKey, a maker of secure flash drives.
"One of the things we found is that people’s attitudes toward their employers really impact how rigorously they apply the security policies," said John Jefferies, VP of marketing for IronKey, at the Government Research Technology Alliance conference in Hot Springs, Va. on Tuesday. "Recent layoffs have certainly negatively impacted peoples’ opinions about their employers."
In a survey conducted by Ponemon in June 2007, 51 percent of respondents said they were transferring sensitive data using USB drives, or 10 percent fewer. Why the increase? "We’re seeing a huge influx of USB flash drives—approximately 125 million a year are produced, of which 20 percent to 30 percent go into businesses," said Jefferies.
Forty-three percent of participants said they have lost a portable data-bearing device. Of those, USB drives accounted for 36 percent, followed by CDs and DVDs at 33 percent, smart phones at 22 percent and laptops at 9 percent. But while 91 percent reported the lost or stolen laptop, 28 percent told their employer about missing USB sticks.
Why aren't people reporting the loss of thumb drives? "Part of the reason is they’re embarrassed, part of the reason is they don't have to because of the low dollar value of the actual device itself," said Jefferies. "However, as people’s awareness increases, they realize that if the data is lost, they may be in deep trouble. There's an increased awareness that they should report it."
"More shocking," he added, "was that nearly half the companies wouldn’t know what was on that drive that they lost."
Even while employees appear to be ignoring some of their company’s policies, 58 percent said that their organization does not provide adequate training about compliance with data security requirements, and 57 percent believe the policies in place are ineffective. Sixty-three percent said their employer does not have adequate encryption and data-loss protection technologies.
The report, written by Ponemon Institute chairman and founder Larry Ponemon, identifies several areas in which organizations can improve. "Create a security-conscious culture among employees, temporary employees and contractors," says the study. "This can be accomplished, at least in part, by more effective security leadership." Also recommended is an enterprisewide data security awareness program that includes training activities for all employees, as well as clear accountability for security and data protection practices.
Only registered users can write comments.
Please login or register. |
