X

Report: Insiders a greater threat to data leaks

Final report based on a survey, commissioned by Cisco, on insider risks finds personal use of work devices--not stolen laptops--contributes more to leaking of corporate data.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
See full bio
Robert Vamosi
3 min read

IT professionals surveyed worldwide said they think their own employees pose a more serious security threat than outsiders, and often it's because of personal use of corporate assets, according to the third and final report based on a 2008 survey (PDF) commissioned by Cisco Systems and released Wednesday.

Other findings include: One in five Brazilian IT professionals said they think their employees are less diligent around protecting corporate data. And in China and in India, IT professionals are most concerned with data thefts through the use of USB devices including thumb drives and iPods in the workplace.

A Cisco survey found that of employees who have lost company-issued devices or have had them stolen, one in four employees have done so more than once within the past year. Cisco

According to the survey, IT professionals said about 10 percent of their employees are losing corporate devices like laptops and USB drives with valuable data more than once a year.

"There's either a negligent behavior or careless recklessness in which they handle data maybe because they didn't realize it was there or maybe there's an education gap," Fred Kost, director of security solutions for Cisco, told CNET News in an interview. "The storage capacity of some of these devices and the types of access they have access to is becoming a critical issue for companies."

The report also cited the growing risks of portable hard drives as opposed to lost or stolen laptops. One in three IT professionals said USB drives (including iPods) were their top concern, more so than e-mail (23 percent), lost devices (19 percent), and verbal communications with outsiders (8 percent).

Surprisingly, 1 in 10 end users in the Cisco survey admitted stealing data or devices and then selling them for profit, or knowing of co-workers who have done so.

Yet there are also nonmalicious reasons to explain how corporate data gets leaked into the wild.

"If you think about the device leaving the enterprise, going into their home environment, the personal environment, maybe letting their children use it; that puts the corporate data at risk," said Kost. He said data leakage could occur when the kids are using the device to surf some Web 2.0 application. "And what about the end of life, when they go to give the device up on one of the e-waste recycling days? There's another chance for somebody to get that corporate data."

Kost repeatedly mentioned the increasingly blurred lines between business use and personal use and how some of that is OK. But long-term personal use of a corporate asset could become a problem.

"Say they have their iTunes library on the device they use for work, now they have to give up their work device, and they have to figure out what to do." In the study, less than 10 percent of the employees did keep their work devices. Of those who did, 60 percent said it was because there were personal files on the device. "It's not malicious," Kost said, "it may just be the only computer in the household."

The Cisco study was conducted in late July through early August by InsightExpress, a U.S.-based market research firm, and involved more than 2,000 employees and information technology professionals. Specifically, the study surveyed 1,000 employees and 1,000 IT professionals from various industries and company sizes in 10 countries.

The first report on cultural attitudes toward security was released in October.

Of those who kept a work device, Cisco found that 60 percent did so for personal needs. Cisco