SAN JOSE, Calif. - August 21, 2007 - A global third-party study commissioned by Cisco® and the National Cyber Security Alliance reveals behavioral findings among mobile wireless workers that spotlight the human side of security as businesses and IT organizations empower more and more employees to remain connected outside of their offices.
Conducted this spring by InsightExpress, an independent market research firm, the study explores what's at stake for businesses striving to become mobile, and therefore more agile and efficient. It reveals findings gleaned from more than 700 mobile employees in seven countries that have adopted wireless technologies widely: the United States, United Kingdom, Germany, China, India, South Korea, and Singapore. Although the study uncovers risky behavioral trends, the results represent a major opportunity for IT to play a more proactive and strategic role in protecting their employees and businesses overall, both through education and solutions.
This is especially relevant as adoption of wireless and mobility technologies increases. For example, IDC reports that by 2009 the number of mobile workers in the United States is expected to reach more than 70 percent of the country's total workforce. Korn/Ferry International reports that 81 percent of executives globally are constantly connected via mobile devices.
"Wireless and mobility technologies are here to stay. They're a fact of life," said Ron Teixeira, executive director of NCSA, an organization chartered to educate the public on online security and safety. "While this study shows mobility provides businesses with new risks, so do other Internet services and new technologies. Mobility and the Internet can be used securely and safely if businesses institute a culture of security within their workforce by providing their employees with continuous cyber security awareness and education programs."
Almost three of every four (73 percent) mobile users claimed that they are not always cognizant of security threats and best practices when working on the go. Although many said they are aware "sometimes," 28 percent of them admitted that they "hardly ever" consider security risks and proper behavior. Some of these mobile users even admitted that they "never" consider safe best practices and didn't know they needed to be aware of security risks. When asked why they were lax in their security behavior, many mobile users offered reasons like, "I'm in a hurry", "I'm busy and need to get work done," "Security just is not top-of-mind for me," and "It's IT's job, not mine".
According to Ben Gibson, director of Cisco's wireless and mobility solutions, this reasoning highlights the importance for IT to engage users and educate them on good security behavior. A good security culture drives good security behavior, he says.
"Businesses are increasingly entrusting more and more employees with access to corporate information anywhere outside of the office, and this doesn't need to be a growing concern - not if the proper security technology and IT-user engagement model is in place," Gibson said. "After all, embracing mobility and truly leveraging the power it gives businesses - agility, access, responsiveness, efficiency - requires protecting and educating employees to prevent them from undermining this value. This is a role IT can and should play more proactively than they traditionally have in the past."
Mobile employees admitted to engaging in a variety of risky behavior. A couple examples include:
Accessing unauthorized wireless connections
- Whether it's hijacking a neighbor's wireless connection or jumping onto unauthorized connections in public places, one-third of mobile users engage in this behavior. China (54 percent) featured the most extreme cases. This behavior was also prevalent in Germany (46 percent) and South Korea (44 percent).
Top Reasons: "I can't tell whose connection I'm using"; "Mine isn't working"; "They don't know so it's OK"; "I don't want to pay for my own connection".
Opening emails and attachments from unknown or suspicious sources
- Almost half (44 percent) of all mobile users surveyed said they open emails and/or attachments from unknown or suspicious sources. In China, India, and the United Kingdom, more than half of mobile end users admitted to this behavior. A significant number (76 percent) said it is more difficult to identify suspicious emails and files on PDAs and smartphones than on laptops because the screens are much smaller.
"What's key is knowing that the issues outlined in this study can be addressed," said Jeff Platon, Cisco's vice president of security solutions. "Technology is important in helping to resolve security issues for wireless mobile users, but education and communication are proactive measures IT can take to help address corporate security and generate greater ROI on their investments. IT should be a strategic asset to the business - enabling business process transformation and unlocking the power of collaboration. As more workers become mobile, proactively educating them to practice good security behavior should be a key tenet of any business' approach to IT security, and risk management."
According to Teixeira, best practices that IT can work with mobile employees on include:
- Use effective passwords that are changed every 90 days
- Update antivirus and anti-spyware programs
- Download necessary patches to operating systems regularly
- Create backups of all important data and files
- Encrypt sensitive data
- Have an emergency response plan for wireless security breaches
- Marry proactive education with proper technology that protects connections to networks, mobile and wireless devices as they leave corporate environments, and re-entry of those devices into the same corporate environments as they reconnect to their networks. This includes a defense-in-depth wireless (and wired) security infrastructure that incorporates virtual private networking, device and endpoint protection, intrusion detection, admission control, effective management, etc.