Cisco Survey Designates 10 Riskiest Data Loss Behaviors

These and other security faux pas were revealed in a global study San Jose-based that Cisco released Tuesday, highlighting numerous risky behaviors by employees that can lead to the loss of corporate data.

The Cisco-commissioned study identifies some of the biggest data loss mistakes based on survey results from more than 2,000 employees and IT professionals in 10 countries. Altogether, Cisco surveyed 1,000 employees and 1,000 IT professionals in the U.K. France, Germany, Italy, Japan, China, India, Australia and Brazil.

Susan Don, director of channel business development with Cisco, said that the study doesn't necessarily uncover any secret truths, but instead reaffirms what many companies might already know yet need to confront.

However, Cisco execs say that the survey was conducted in light of changing business models and workplace environments that are more reliant on mobile workers and open perimeters than ever before. This shift is driven, in large part, by mobile devices and collaborative applications, such as phones, laptops and Web 2.0 applications, that are used both professionally and personally by workers.

"One of the phenomenon we have seen is the fact that when people work more by themselves, they feel as though they don't have to step up to corporate policies," said Nasrin Rezai, Cisco's senior director of information security.

One of the overriding trends illuminated by the survey indicates that behavioral risks can vary by country and culture, which enable businesses and channel partners to tailor management policies according to their own security needs.

For solution providers, Don said, the study's findings help spark a more detailed dialogue about data leakage with customers.

"This helps confirm these issues and open the door for solution providers to offer consultative services," she said. "It adds another dimension to that conversation."

John Stewart, Cisco chief security officer, said in a written statement that the research was conducted "in order to understand behavior, not technology per se."

"Security is ultimately rooted in users behavior, so businesses of all sizes and employees in all professions need to understand how behavior affects the risk and reality of data loss—and what that ultimately means for both the individual and enterprise," he said."Simply put, security practices can be more effective when all users realize what their actions result in."

Rezai echoed that companies can throw technology at the problem in an effort to prevent data leakage, but a cultural shift is required in order for solutions to stick.

"Think about security not just as what you can do technology wise, but think of it as a cultural phenomenon," she said, adding that companies need to "come up with security strategies that start with people then lead to technology."

Of the numerous behavioral findings, the top 10 most noteworthy are:

1. Altering Security Settings on Computers: One in five employees altered security settings on work devices in order to bypass IT policies so they could view unauthorized Web sites.

2. Use of Unauthorized Applications: Seven out of 10 IT professionals said that employees use of unauthorized applications and Web sites such as social networking sites and ecommerce sites, resulted in as many as half of their companies' data loss incidents.

3. Unauthorized network/Facility Access: Two of five IT professionals said that they had to deal with employee access to unauthorized parts of the network or facility.

4. Sharing Sensitive Corporate Information: One in four employees admitted verbally that they had shared sensitive information to non-employees.

5. Sharing Corporate Devices: Almost half of the employees surveyed said that they share work devices with non-employees such as family and friends without supervision.

6. Blurring of Work and Personal Devices: Almost two out of three employees admitted using work computers daily for personal use for things like music downloads, shopping, banking and blogging.

7. Unprotected Devices: At least one in three employees said they leave computers logged on and unlocked when they're away from their desk, and also leave laptops on their desks overnight.

8. Storing Logins and Passwords: One in five employees said that they store their login and passwords on their computers or write them down and leave them on their desks.

9. Losing Portable Storage Devices: Almost one in four employees said they carry corporate data on portable storage devices outside the office.

10. Allowing Tailgating and Unsupervised Roaming: More than one in five German employees allowed non-employees to roam around offices unsupervised, while 18 percent allowed unknown individuals to tailgate behind employees into corporate facilities.

Andrew Hickey contributed to this article