Cisco report: Young employees present data security risk
Young workers and students show little regard for protecting information and represent a significant security threat to the companies they work for, according to a recent report from Cisco Systems.
By Linda Johnson
The Connected World Technology Report is based in part on a survey of college students and young professionals aged 18 to 23. The survey, which had 2,800 participants in 14 countries, is aimed at examining the attitudes, needs and behaviour of people coming into the workforce.
According to the report, 70 per cent of young employees admitted they break IT policies “with varying regularity,” and 61 per cent said they believe they are not responsible for protecting their IT devices, such as iphones, androids, laptops and ipads.
“They think that is the corporation’s responsibility, if they think about it at all,” said Scott Olechowski, Cisco security and threat research manager.
Respondents showed a similar disregard for their personal information. Eighty-six per cent of college students said they have allowed others, even strangers, to use their computers unsupervised; while 16 per cent said they have left their personal devices unattended in public.
One of every four (24 per cent) college students reported they have experienced “some form” of identity theft — such as stolen credit cards and ID — by age 23. At the same time, two out of five (40 per cent) have a friend or relative who has also been a victim of identity theft.
“There’s a disconnect here,” Olechowski said. “These people are sharing so much and providing unsupervised access. Yet, they’re actually seeing grave consequences for that type of activity.
“And these are the people who are coming into our workforce. We need to be thinking about how they view things, what they’ve become accustomed to and either how we’re going to fight that or how we’re going to protect ourselves in the process.”
Another cause for concern, he added, is the attitude of many young workers towards social media. An overwhelming majority of respondents, 80 per cent, either think their company’s IT policy on social media and devices usage is outdated or weren’t sure if a policy existed at all.
“We all know that we have an amazing number of sophisticated threats coming from outside our organizations. But right here, these numbers reflect that our views may actually be one of the top threats that our companies are facing,” he said.
According to the survey, Olechowski said, many employees violate IT policies because they perceive “a giant disconnect” between the policies and what they need to do their jobs. He noted that 22 per cent said they have to use unauthorized programs and applications to get their jobs done, while 18 per cent said they are simply too busy to think about the policies.
The lack of attention to privacy among young employees and their disregard for IT policies, he concluded, means companies should start questioning the policies they’ve created. Are they relevant? Do they make sense? “And we need to start looking at technologies that can help enforce these things. It can’t just be that [I do it because] the boss is out of the room.”
The report is part of a larger study, the 2011 Cisco Annual Security Report, which looks at trends in global computing and security threats to these systems.
Olechowski said researchers have seen a major shift away from mass compromise. Though more systems have come online in the last year, spam has dropped significantly, from 1.1 billion a year in June 2010 to 500 million a year later. Such attacks, aimed at infecting millions of computers, are not as effective as they once were. They’re also riskier, as security agencies get better at finding them and closing them down.
Today, more cyber criminals are focusing on “high-value opportunities,” he said. Many are targeting low-level accounts, like web mail — where it’s easier to set up automated password resets — in order to access bank accounts. “We’ve seen in 2011 an alarming rise in the automation of these types of stepping-stone attacks in mass account compromises.”
“Targeted attacks, the more focused attacks by the more serious cyber professional criminal, are so much more valuable that we believe it completely eclipses the losses we’ve seen from the carpet-bomb type of spam,” he said.
Mary Landesman, senior security threat researcher at Cisco, agreed damage done by cybercrime can no longer be gauged by numbers. For example, in last year’s “Nitro” attacks, infected emails were sent out to hundreds of industrial, aviation and chemical companies with the purpose of uploading sensitive documents. In the end, 39 companies fell victim to the attacks.
“With these attacks, the low numbers don’t matter. It was large-scale data theft of high-valued intellectual property. There was a real cost to anyone who was affected,” she said.
“You don’t know what the intention was in stealing this data, but you do know the data was from extremely sensitive industries, and it does have global repercussions. Often, the biggest threats, the scariest threats, are the ones that have the very small numbers.”
Another area of hacking expected to rise considerably is cloud computing, Olechowski said. Cyber criminals know more and more information is moving to the cloud and also know that by getting into the infrastructure, they can attack many more accounts than they can by getting into a personal Hotmail account. In addition, many cloud service providers are inexperienced and have not invested in adequate security.
“We know that there are going to be massive cloud infrastructure hacks that are going to lead to massive compromises,” he said.