Employees in developing countries can undermine data loss prevention efforts by engaging in risky behavior that
threatens network security, a new survey found.
Cisco Systems Inc. surveyed end users and IT professionals in 10 countries and found that users in emerging markets such as China, Brazil and India tend to bend or break security guidelines far more often than users in established markets such as the United States, Japan and the United Kingdom.
These findings emphasize that it's critical for businesses that partner with companies overseas or directly employ people in developing countries to assess their vulnerability to data loss and take steps to mitigate risky behavior.
For instance, the survey found that 42% of Chinese workers, 26% of Brazilian workers and 20% of Indian workers admitted to changing the security settings on their company-issued laptops. Only 2% of U.S. workers and 6% of German workers admitted to such behavior.
Many workers transfer company documents to their personal computers through email or portable storage devices to work on at home. Sixty-five percent of Chinese workers and 61% of Brazilian workers admitted to doing this, versus just 30% of U.S. workers.
Sixty-three percent of IT decision makers surveyed in China and 48% in Brazil said they have had to deal with employees gaining access to unauthorized physical or network areas. In the United States the picture is slightly better, with 46% of IT decision makers admitting to experiencing this problem.
"It's a major concern," said Brian Burke, program director for security products research at Framingham, Mass.-based IDC. "We've talked to large, U.S.-based companies. They're absolutely concerned with protecting intellectual property when they start opening offices in these developing countries."
Burke said risky behavior that leads to data loss is a rising concern for network security professionals. He said that for eight years, malware had been the leading security concern for IT professionals surveyed annually by his firm. In the most recent annual security survey, conducted last December, IT professionals identified data leaks by employees as the greatest threat to network security.
"The other thing we've found is that the vast majority of these data leaks are inadvertent -- not malicious or deliberate," Burke said. "Our surveys show that 80% of the known data leaks were accidental. That just shows that employees don't understand that they're violating policy."
Cisco believes that the risky behavior in developing markets can be traced to the fact that workers in those countries are new to the information age, according to Marie Hattar, Cisco's vice president of network and security solutions. She said these workers didn't experience some of the big malware scares five or six years ago. "So they don't recognize or realize the risks associated with this [behavior] in terms of how they expose this information," she said.
Companies that do business overseas should focus on training potential employees about security policy, said Michael Hall, CISO at DriveSavers Data Recovery Inc. in Novato, Calif. They should also examine the integrity of the network infrastructure of potential international partners, he said.
"Look at how they approach security and how they are disseminating that information [about security polices] to employees," Hall said. "If it's a standard ongoing practice for them or if it exists at all. If I were doing business internationally at all, I'd want to vet the company before I opened up a relationship with them, particularly on the hardware handshaking side of things."
Although the survey serves as a warning about end users in developing markets, there is still plenty of room for improvement in the United States and other established markets. For instance, 54% of IT decision makers in the U.S. say they believe employees are using non IT-approved applications on company-issued computers. And 39% of U.S. employees who were surveyed said they allow other people to use their corporate laptops and mobile devices without supervision.
This challenge in the United States and other established markets will only intensify as a new generation of people who are used to collaborating online and sharing information on sites like Twitter and Facebook join the workforce, according to Nasrin Rezai, Cisco's senior director of information security
"The Generation Y that's coming to Cisco -- their mind-set is they grew up with all these social technologies and basically it's almost completely acceptable that you share all kinds of information," Rezai said. She said IT must find a way to instill good security practices in this new generation of workers.
Hattar said the key is to take a three-pronged approach to data loss protection: network security, physical security and employee education. Not all networking professionals are in a position to mandate training after they install a new firewall or network access control product, but they should at least raise that issue with their managers, she said. "The biggest issue is the human factor. Technology can only solve so much."
Hall, of DriveSavers, agreed that training must be combined with a solid physical and network infrastructure. He said too many IT people believe that their hardware is rock-solid and end user mistakes can't hurt them. He said he never makes that assumption.
"We have a monthly training session where I'm either sending out information about the Homeland Security newsletter or sharing best practices which end users adhere to," he said. "I'm just creating an ongoing awareness for people and making sure it's in the forefront of their minds initially and through consistent reminders."
Benjamin Craig, CIO at River City Bank in Sacramento, Calif., said he takes a similarly multipronged approach but adds a fourth step to his security strategy. He said securing company data has to start with the executive team at the very top of the company. Without buy-in from those executives, policies lack credibility among employees and the company can be exposed to potential litigation if a breach does occur. With executive buy-in at his bank, Craig was able to craft strong polices and implement network controls to enforce those policies. Then he launched a security awareness training program.
"We bring in a primary and alternate person from each of our business locations from across the organization to be able to spend a day with us, to learn how we work, how we operate, as well as what social engineering is. Why it's important not to install software that is not approved. How easy it is to sneak on a network," he said. "We walk them through several real-world scenarios and case studies. … By educating our users and really bringing them into our world and partnering with them instead of forcing policies on them and trying to augment those polices with technical implementations, we're getting them to buy in and we're able to make a much more effective program."
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor