Mobile workers are falling short of their responsibilities when it comes to security, according to a recent study...
by Cisco and the National Cyber Security Alliance (NCSA).
The study, conducted by independent market research firm InsightExpress, examined behaviors of mobile wireless workers using smartphones, PDAs, laptops and other devices and found that as companies continue to mobilize, the security risks increase as a result of unsafe and sometimes reckless end-user behavior.
According to IDC, the number of mobile workers in the U.S. is expected to reach more than 70% of the country's total workforce by 2009. Korn/Ferry International reports that, globally, 81% of executives are constantly connected via mobile devices.
One of the issues contributing to a lack of security when the workforce becomes mobile is the end-user perception that corporate mobile devices are also personal devices and that there is little risk involved in some practices.
"Mobile devices have real access to real data," said Cisco security director Fred Kost. "The perception is [that] it's a personal device -- 'I'm on my device.' "
The study gleaned its results from more than 700 mobile employees in seven countries that have widely adopted mobile and wireless technologies -- the U.S., U.K., Germany, China, India, South Korea and Singapore.
Nearly three out of every four mobile users -- 73% -- queried said they are not always cognizant of security threats and best practices when working mobile. Many said they are sometimes aware of potential security risks, but 28% conceded that they "hardly ever" consider security risks and proper behavior. Some even went so far as to admit that they never consider safe best practices and didn't know they needed to be aware of security risks.
More startling were some of the responses mobile workers gave when asked why they were lax in their security behavior. Reasons offered included, "I'm in a hurry," "I'm busy and need to get work done," "Security just is not top-of-mind for me," and "It's IT's job, not mine."
Mobile workers polled said they often use unauthorized wireless connections. Either hijacking a neighbor's wireless network connection or an unauthorized connection in a public place, one third of mobile users said they use unauthorized wireless. China had the most extreme cases, with 54% saying they've used an unauthorized wireless network. In the U.S., 20% of respondents said they use unauthorized wireless connections.
Users said they use unauthorized wireless networks because: "I can't tell whose connection I'm using," "Mine isn't working," "They don't know, so it's OK" and "I don't want to pay for my own connection."
The study also found that 44% of all mobile users admitted to opening emails and attachments from unknown or suspicious sources. A significant number, 76%, said it's more difficult to identify suspicious emails and files on PDAs and smartphones than on laptops because of smaller screen sizes. In the U.S., 7% said they open emails and attachments; 32% said they open only the email; 57% said they delete the email without opening it; and 4% said they contact IT for guidance.
When asked about security issues they've encountered within the past three months, 13% of U.S. mobile workers said they've left a notebook, smartphone or PDA exposed on a car seat in a parking lot; 3% said they've lost their device outside of work; 2% said they lost their device at work; 14% said they borrowed someone else's wireless connection when working from home; 16% said they borrowed someone else's wireless connection when working remotely, such as in a partner's or friend's office; and 12% said they allowed a non-employee to borrow their device to check email, make calls and perform other tasks.
As for how often they protect their data using encryption, passwords and other mechanisms, 53% of mobile workers in the U.S. said "all the time," while 31% said "sometimes" and 16% said "never." As for why they don't protect that data, 13% of U.S. mobile workers said they don't know what encryption is; 50% said they don't know how to enable encryption on mobile devices; and 6% said they don't know how to set passwords on devices.
Ron Teixeira, executive director of NCSA, an organization that educates the public and corporations about online security and safety, said the study highlights some frightening trends. One of the most startling, he said, is that companies are falling short on making mobile workers acknowledge and sign a security agreement, and if there is an agreement signed, it frequently isn't followed up.
Internationally, the study found that nearly two-thirds of mobile users sign security agreements. In the U.S., 41% said they weren't asked to sign one. In addition, 39% of mobile workers in the U.S. said they never received security training from IT, while 14% don't remember whether they received training.
Ben Gibson, director of Cisco's wireless and mobility solutions, said that security training helps create a culture of good security behavior and that education is key to keeping that culture strong.
"Businesses are increasingly entrusting more and more employees with access to corporate information anywhere outside of the office, and this doesn't need to be a growing concern -- not if the proper security technology and IT-user engagement model is in place," Gibson said. "After all, embracing mobility and truly leveraging the power it gives businesses -- agility, access, responsiveness, efficiency -- requires protecting and educating employees to prevent them from undermining this value. This is a role IT can and should play more proactively than they traditionally have in the past."
Teixeira said, however, that only part of the responsibility to ensure that end users use safe practices falls on IT. He said IT should educate end users, but that end users are also responsible for ensuring they use appropriate caution.
"Wireless and mobility technologies are here to stay," Teixeira said. "They're a fact of life. While this study shows mobility provides businesses with new risks, so do other Internet services and new technologies. Mobility and the Internet can be used securely and safely if businesses institute a culture of security within their workforce by providing their employees with continuous cyber security awareness and education programs."
NCSA's mission is to educate about cyber security through training visits and on its website, www.staysafeonline.org, but Teixeira said awareness still needs to be made a top priority.
"Part of the issue is that the end users aren't being educated, and they aren't aware of the threats that exist," he said. "There are a lot of companies out there that are not making cyber security a priority."
Teixeira said recurring awareness programs highlighting new technologies and new threats are paramount to protecting corporate data and ensuring that end users adhere to best security practices. Adding mobile devices into the fold only increases that need.
"They shouldn't take cyber security any less seriously on a mobile device," he said.
NCSA's goal is to teach companies that mobile security is a twofold process. First, it should be approached with technology such as encryption and password protection, then with education to make sure that safe practices are being followed.
"Take a holistic approach," Teixeira said. "You need the right mix of technologies and the right level of awareness. And mobile devices add that extra dimension that expands the landscape."
Though the lack of security agreements in many companies is particularly startling, Teixeira said, pretty much every result found by the study shows him that the road to mobile security is an uphill climb.
"All of it, in my perspective, is severe," he said. "All of these behaviors open a business to a possible data breach. But all of it together speaks to a lack of awareness. Users don't know their role in cyber security. While IT focuses on the technology side, they need to start off from day one making sure the employees understand how important they are to cyber security."
Teixeira said most of the study's findings are "staggering and disheartening," but he added that by having mobile workers sign a security agreement and offering recurring awareness training sessions, companies can get ahead of the curve and better protect data and end users.
"Part of the problem does fall on the employee," he said, "but both the employee and the business are responsible for creating a culture of security."
Teixeira made the following suggestions to enhance mobile security:
- Use effective passwords that are changed every 90 days
- Update antivirus and anti-spyware programs regularly
- Download necessary patches to the operating systems regularly
- Create backups of all important data files
- Encrypt sensitive data
- Have an emergency response plan for mobile and wireless security breaches
- Marry proactive education with proper technology that protects network, mobile and wireless connections both inside and outside the corporate environment. That includes wired and wireless security infrastructure, incorporating VPNs, device and endpoint protection, intrusion detection, admission control and effective management.
Cisco's Kost said even though the study found many risky end-user behavior trends, it can also act as a wake-up call for IT to play a more active and strategic role in protecting employees and overall business through education and technology solutions.
"End users don't perceive their behavior as risky activity," he said.
Jeff Platon, Cisco's vice president of security solutions, noted that hope is not lost, despite some of the more startling findings.
"What's key is knowing that the issues outlined in this study can be addressed," he said. "Technology is important in helping to resolve security issues for wireless mobile users, but education and communication are proactive measures IT can take to help address corporate security and generate greater ROI on their investments. IT should be a strategic asset to the business -- enabling business process transformation and unlocking the power of collaboration. As more workers become mobile, proactively educating them to practice good security behavior should be a key tenet of any business's approach to IT security and risk management."