Most people consider themselves prudent when it comes to workplace activities, but actions speak louder than words—especially when it comes to computer security.
A large gap exists between what employees say about computer security and how they practice it at work, according to the Information Systems Audit and Control Association, which polled 301 white-collar workers at companies of at least 100 employees.
For example, 15 percent of workers had shared files over a peer-to-peer network, which “is opening a big door at a large corporation,” says Kent Anderson, a consultant who serves on ISACA’s Information Security Management Committee. “Most of these file-sharing programs by default scan available files and serve those out to anybody who wants them.”
Eleven percent of workers had e-mailed confidential documents to the wrong person—yet only 60 percent considered the behavior risky. And 35 percent had knowingly violated a corporate IT policy.
“They think, even if I make a mistake, nothing bad is going to happen,” Anderson says.
One reason for the risky behaviors may be that employees tend to take workplace IT security for granted. More than 90 percent told ISACA they considered their offices secure. While they worry about the security of their home machines, they feel somebody else has taken care of security on their work computers, Anderson says.
Another reason may be that employees don’t understand the risks they’re taking with what may seem routine tasks and use. Anderson says corporate IT departments tend to write overly long or technical IT policies, then stick those policies on a shelf and leave them unenforced.
Security policies must be simple, he says, and employees must be able to follow them and still do their jobs.
ISACA recommends corporate IT departments make security training routine. They should train new hires, update training frequently, and let employees know when there are specific threats.
ISACA’s recommendations reflect the results of a recent Computer Technology Industry Association (CompTIA) survey that found 68 percent of businesses have no security training program, even though most are seeing an increasing number of security threats and incidents. (Read “No Mobile Security Training at Most Businesses.”)
This is the first time ISACA has surveyed security practices at work, and Anderson wants to follow up on the results. He’s especially interested in how and why people knowingly violate corporate IT policies.
Checking personal e-mail at work may not seem like a problem, he says, but when you consider that 49 percent of workers clicked on a URL in an external e-mail and one-third downloaded files or software from friends, the risks grow quickly.
