Insiders dodge security for productivity, RSA says
In its latest survey of information-technology workers, security firm RSA found that more than half found ways to work around corporate security policies to get their work done, the company said in a report released this week.
The survey, dubbed The 2008 Insider Threat Survey, found that 53 percent of the 417 people surveyed at three conferences have felt that IT security policies are too restrictive. Nearly all of the respondents (94 percent) voiced familiarity with their company's security policies. Among the responses that should cause concern: More than half of workers sometimes access their work e-mail accounts through a public computer and about two-thirds had accessed the same accounts over a public wireless network.
The surveys took place at conferences in three different countries: the United States, Brazil and Mexico. Many of the respondents' answers indicated that workers in different countries had different issues with security policies. While lost laptops and devices were more common in the developing world -- 29 percent of workers in Mexico had admitted losing a laptop, for example -- physical security issues were more common in the U.S., where 31 percent of workers said they held a door locked door open for a stranger, compared to 7 percent in Brazil.
"Being down to Brazil and Mexico myself and seeing the physical security concerns -- you don't go anywhere without a bodyguard, for example -- I think that would account, at least anecdotally, with that sort of behavior," Sean Kline, director of product management for RSA's Identity and Access Assurance Group (IAAG).
Many companies focus on the malicious insider as, potentially, the most damaging threat. Earlier this year, a network administrator for the city of San Francisco stood trial for locking out other workers from administering the system. Smaller companies are typically unprepared for such threats.
The RSA survey suggests that focusing on only malicious insiders does not solve, perhaps, the major issue that companies face -- workers that innocently circumvent security, Christopher Young, senior vice president at RSA, said in a statement.
"It remains clear that businesses need to take a layered approach to security to help mitigate the insider threat and keep data safe," Young stated. "As such, it is important for any organization to know who has access to your information; control access through policy; monitor for suspicious activity to verify user identities; create and enforce data security policies and controls; and transform real-time event data into actionable compliance and security intelligence."
Reproduced from an article published by SecurityFocus
© SecurityFocus
The original article can be viewed here:
http://www.securityfocus.com/brief/839
Permalink Bookmark Digg this story
