Global Research Spotlights Threat Landscape's Covert Evolution as Potential Reason for Softening Perceptions and Discipline Around Safe Online Behavior; Spurs IT Call to Action
SAN JOSE, Calif. - February 5, 2008 - Cisco® today announced key findings from its annual global study on remote workers' security awareness and online behavior, indicating how they can inadvertently heighten risks for themselves and the companies they work for. The study's findings are prompting Cisco security executives to offer recommendations to information technology (IT) professionals on how to protect their companies against threats and maximize the business benefits of distributed and mobile workforces.
Conducted by InsightExpress, a U.S.-based market research firm, the study involves surveys of more than 2,000 remote workers and IT professionals from various industries and company sizes in 10 countries: the United States, United Kingdom, France, Germany, Italy, Japan, China, India, Australia, and Brazil. The 10 countries were chosen because they represent a diverse set of social and business cultures, stable and emerging network-dependent economies and varied lengths of Internet adoption.
The study's significance takes on growing importance as the number of remote workers increases worldwide. According to a 2007 Gartner report, "The worldwide corporate teleworking population of individuals that spend at least one day a month teleworking from home is expected to show a compound annual growth rate (CAGR) of 4.3 percent between 2007 and 2011. In the same period, the worldwide corporate teleworking population of individuals that spend at least one day a week teleworking from home is expected to show a CAGR of 4.4 percent. This population will likely reach 46.6 million by the end of 2011."1
"Remote access and distributed workforces are here to stay. They provide competitive advantages and greater operational efficiency," said John N. Stewart, Cisco's chief security officer. "Businesses have the opportunity to benefit from productivity increases while preventing security risks from undermining them. This study provides intelligence and recommendations for understanding and minimizing risks as businesses allow employees to branch out beyond the traditional office. It explores their remote workers' psyche and provides valuable information about their approach to security."
A False Sense of Comfort?
One of the key findings is that remote workers feel less urgency to be vigilant in their online behavior. Although the majority believes they are more vulnerable outside the office than in, their perceptions of security threats are softening. In just one year, the number of remote workers who believe the Internet is safer increased 8 percent, from just under half (48 percent) to more than half (56 percent). This trend is especially prevalent in Brazil (71 percent), India (68 percent) and China (64 percent), three of the world's fastest-growing economies whose workforces depending more and more on the Internet and corporate networks.
According to the study, IT respondents believe their remote employees are becoming less disciplined in their online behavior: More than half (55 percent) believe their remote workers are becoming less diligent toward security awareness, an 11 percentage point increase from the year before. This perception shift may be a result of the threat landscape's evolution from overt to covert attacks. According to the Computer Security Institute's 2007 computer crime and security report, the number of financially motivated attacks surpassed traditional malware attacks (including viruses, worms, and spyware), and for the first time in the survey's 12-year history, the average annual loss from fraudulent attacks surpassed damages from malware. Although today's threats are more dangerous because they sabotage personal identities in addition to corporate intelligence, their invisible nature creates a false sense of comfort among employees that can result in a loss of discipline around online behavior, particularly when they work remotely.
"While working at home, people tend to let their guard down more than they do at the office, so adhering to security policies doesn't always intuitively seem applicable or as necessary in the private confines of one's home," Stewart said. "The blurring of the lines between work and home, and between business lives and personal lives, presents a growing challenge for businesses seeking to capitalize on the productivity benefits of the remote workforce."
Some of the key findings and reasons for risky behavior in year two include:
Strategic Recommendations for Protecting an Increasingly Distributed Workforce
According to Stewart, now more than ever, it is imperative for the IT department to reassess how it's perceived by employees and how it can proactively influence corporate security. IT often approaches security exclusively from a technology perspective, but the need for security awareness, education, and proactive, sustained communication is as fundamental as purchasing a firewall. Spearheading this consultative engagement with employees represents a prime opportunity for IT to reshape its image in the eyes of its users and maximize the return on technology investments. It provides a platform for IT to be viewed not as a cost center, but as a true business enabler. In doing this, the research's multicultural scope highlights the need for IT security leaders to apply "localized" engagement and communicate more targeted approaches for different parts of the world.
"What we've found in year two reinforces the need for IT to triangulate awareness, education, and communication between their teams, executives, and employees," Stewart said. "How you communicate and educate employees about essential security practices and policies will be different in Japan than in the United States. It will be different in China than in France. Security awareness and education requires an understanding of your audience's culture. You have to relate to them and earn their trust. Through trust comes respect and cooperation.
"This research stresses the point that managing corporate security is part technology, part process, part awareness, education and communication," Stewart added. "It's often more of a human challenge than a technical one. And because of that, IT has the duty to emerge from the traditional back office to become more proactively engaged and consultative with its user base. Simply put, now is the time for IT to become more strategic than ever."
The study and key findings will be spotlighted by Cisco security executives, including Stewart, as part of a live Internet TV broadcast today from 8 a.m. to 9 a.m. PST on global threat trends and managing the human side of security challenges (to attend: http://tools.cisco.com/cmn/jsp/index.jsp?id=70346).
1 Gartner, Inc. "Dataquest Insight: Teleworking, The Quiet Revolution (2007 Update)" by Caroline Jones, May 14, 2007