Security challenges are growing in number and intensity, and seeping into every aspect of a business organization. As organizations become more aware of the need for disaster recovery strategies, they need to be especially cognizant of remote worker behavior

In today's increasingly globalized business environment, organizations of all sizes are becoming more distributed. They rely more than ever on remote workers, and for good reason. A mobile workforce can respond to customers more quickly, be more productive and agile, and enjoy better job satisfaction. Whether it's a salesperson on the road, a doctor at home, or a PR manager in a coffee shop, organizations are enabling their employees to work anywhere, at any time, and in any way, all to generate competitive advantages and greater productivity.

Companies have placed their most-critical business processes on the network, and a breach in security can quickly escalate into lost time and money, compromised data, reduced productivity, or diminished customer confidence. Security for remote workers is critical not only for a company's day-to-day operations, but also for network resilience planning. As organi­zations become more aware of the need for disaster recovery strategies, they need to be especially cognizant of remote workers' behavior.

As the stakes grow higher for network integrity, the threat landscape is rapidly evolving as well. More than ever, IT organizations require greater agility and knowledge about how to combat attacks before they become full-blown problems. Security challenges are growing in number and intensity, and seeping into every aspect of a business organization. Threats are becoming more complex, stealthy, and profit-motivated.

As security threats and concerns evolve, end-user behavior is changing. Working remotely is no longer the exception, but a way of life for many employees. To respond immediately to clients and colleagues, employees are becoming dependent on constant access to the network. They are used to responding to e-mail or accessing the company server at any time of day. Employees depend on the Internet for their everyday business activities, and face a broad array of tempting e-commerce sites, file sharing environments, and online communities that can pose security risks.
Users are also becoming more complacent. They believe that their IT organizations are responsible for protecting them, and as a result are most likely unaware of new or emerging security threats. To overcome these new challenges, IT organizations need in-depth insight into their users' attitudes and behavior.

Survey reveals risky behavior
To better understand how remote workers affect security risks and planning for IT, Cisco Systems commissioned InsightExpress, a third-party market research firm, to survey end users from a wide range of industries. The surveys were conducted in parallel in 10 countries: US, UK, France, Germany, Italy, Japan, China, India, Australia, and Brazil. In each country, more than 100 remote workers were surveyed.

The survey results reveal a surprising set of end-user perceptions, experiences, and behaviors. These perceptions and behaviors heighten security risks for IT organizations in environments that lack perimeters, boundaries, or full corporate oversight.

For example, despite a high admission of security awareness and cognizance, telecommuters' work practices are not always consistent with this reported awareness.

Awareness is not enough
Awareness is a crucial in safeguarding organizations. The global survey indicates that the majority of remote workers (66 percent) are cognizant of security concerns.

While end users might be aware of the importance of security, this knowledge is not enough to ensure safer behavioral habits among remote end users. Just because users think or say they are cognizant does not mean they know how to be safe. An end user who is poorly informed about security best practices, yet believes he is working safely, can actually exacerbate security risks for IT organizations.

To explore the relationship between user beliefs regarding security and their behavior, the survey included a series of specific questions on behavior. Perception played an important role in determining how end users actually behave when working remotely. The survey revealed that although many remote workers believe they are working securely, they continue to engage in risky online behavior.

For example, the survey showed that nearly one-third (29 percent) of users use the company computer for personal use. This belief not only affects productivity but also invites greater security threats.

Sharing work computers and devices
Sharing a company computer with a user outside the company can be an invitation to security problems. Outside users have not been educated by a company's IT organization, and are not beholden to its security policies. Nonetheless, the survey revealed that significant numbers of end users share their company computers with other users. Despite their awareness of the importance of security, 21 percent of users admitted that they allowed others to use their work computers. In fact, respondents in Japan said they allow others to use their computers for personal reasons more than they do themselves.

Personal devices
Personal devices that users connect to the network pose serious security risks for organizations. Oftentimes, these devices may not be governed by IT and security policies, or comply with best practices.

Some 45 percent of end users stated that they used their own personal devices to access corporate resources. In China, this number soared to 74 percent of end users. Yet only half of those who used these devices said they had antivirus or security software on the device.

• 29 percent of users believed that access by personal devices was safe.
• 36 percent believed using personal devices for network access was acceptable simply because they did so regularly.

Downloading and e-mail behavior
Downloading files to the company network or to work devices has long been recognized as a particularly risky behavior. Viruses, Trojan horses, and other types of malicious files are well-publicized, and most corporate users are well aware of these threats.

Nonetheless, surprising numbers of users continue to open e-mail messages and attachments sent from unknown sources (see graph). Even a single instance of a user opening a virus or malicious file can cause a great deal of damage. Consider the impact of careless handling of e-mail and attachments by just 50 people in a 1,000-person company. Large organizations with thousands of users cannot tolerate this behavior by even a small percentage of their users.

A sizable percentage of respondents (38 percent) reported that they click on unknown e-mail messages but do not open attachments. This activity is less risky than opening unknown files, but can still present security risks.

• In India and Brazil, 10 to 20 percent of users admitted to opening unknown e-mail messages and their attachments. These figures are alarming: even one bad file can wreak havoc on an organization.
  Bringing one's own personal files into the secure business environment can cause problems as well, yet the survey results show that this type of behavior was common.
• 46 percent of end users download personal files to corporate networks or their work devices.
• In both China and Australia, more than 58 percent of participants port their own files to their work environment.

IT's challenge and opportunity
The contradictory relationship between many teleworkers' security awareness and behavior illustrates the challenge IT must face every day in safeguarding their companies. To promote effective security strategies, IT organizations must rethink and reassess their relationships with end users, to engage more proactively with their clients.

Traditionally, users have considered IT a monolithic service organization that simply addresses network problems after they happen. IT would react to user issues after the network went down or when computers were compromised.

As security threats become more sophisticated and pervasive, IT must make an extra effort to foster two-way communication with users. They need to make themselves known, establish their authority, and communicate best practices more effectively. At the same time, IT organizations must listen to their clients for better insight into how their users perceive security issues. Without an ongoing dialogue, IT will have only a limited view of how well teleworkers understand security and apply best practices when working remotely.

It's clear that end users understand the importance of security. Yet they are not IT professionals and cannot be expected to understand a rapidly changing threat landscape. They have different priorities. By collaborating with their end users and educating employees about risky behavior, IT can make major strides toward implementing sound security policies. At the same time, they can fine-tune their strategies for employing comprehensive, in-depth security technology. As they work to align their users' perceptions more closely with reality, IT organizations can help their businesses participate in promoting safe and secure workplaces.

Source: www.cisco.com

Page(s)   1