Using company devices for personal activities leads to data loss

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.net-security.org/secworld.php?id=17671

GFI Software released the findings of an independent study into how workers
use company provided computers and laptops for personal activities, and the
direct impact that personal use can have on the organization.

The survey revealed that the employers of 40% of those surveyed had
suffered a major IT disruption cased by staff visiting questionable and
other non-work related web sites with work-issued hardware, resulting in
malware infection and other related issues.

35% of staff would not hesitate to take company property including email
archives, confidential documents and other valuable intellectual property
from their work-owned computer before returning it, if they were to leave
their company.

Half of those surveyed use a personal cloud-based file storage solution
(e.g. Dropbox, OneDrive, Box) for storing and sharing company data and
documents.

The blind, independent study was conducted by Opinion Matters and surveyed
1,007 UK employees from companies with up to 1,000 staff that had a
company-provided desktop or laptop computer.

Key findings include:

- 75% of respondents use their work-provided computer for non-work
activities
- Overall, 90% have at least some understanding of their company’s policy
on usage and follow it to at least some degree
- 8.5% completely disregard company IT policy on approved use of company
computers for non-work activities
- Nearly a third (31%) of those surveyed have had to get their IT
department to fix their computer after an issue occurred as a result of
innocent non-work use, while 6% had to do the same due to questionable use
(porn, torrents, etc.)
- 10% have lost data and/or intellectual property as a result of the
disruption caused by the outage.

The survey also found a substantial concern among employees over whether
their employers were monitoring their computer use, as well as a lack of
understanding of how it can be done and what devices can be monitored.

42% of respondents are concerned about their employer’s ability to monitor
their computer use, while almost two-thirds of those interviewed (63%)
think their employer can monitor an iOS, Android, or Windows-based tablet
use as easily as they can a conventional PC. However, almost one in five
are unsure if their employer can monitor a tablet.

“Data security and integrity is a big challenge for companies as a result
of the widespread movement away from desktop computers to laptops. Since
laptops are usually brought home, they frequently get used out-of-hours for
both work and non-work activities. Without clear policies and guidelines in
place on approved personal use boundaries – backed up with technology to
limit access to the most challenging parts of the internet – the dividing
line between work tool and personal device, can quickly become blurred,”
said Sergio Galindo, general manager of GFI Software.

“There are clear arguments in favour of letting staff use company computers
for a degree of personal activity. It’s good for morale, productivity and
it’s just common sense. However, people still need to remember that at the
end of the day it is not their device, and neither is the company data on
it. It is surprising how many people forget that and our survey underscores
just how true this is. You would not go racing around a track in a company
car, even though they let you take it home for an evening and pay for the
petrol or diesel. The same principle applies to a company computer. Just
because you can use it to access questionable content, doesn’t mean it is
appropriate to do so,” Galindo added.

With many people using their company-owned PC as their own fully-fledged
computer, and relying on it for everything from banking to shopping and
music to videos, they will build up a comprehensive history of web sites
visited, as well as files and documents of their own that have no bearing
on their job role.

The survey also asked users how comfortable they would be if their
co-workers, or their friends and family could see their personal browsing
history. Over one in five (21%) would not want their family or colleagues
to see their browser history or hard drive contents in the event they were
suddenly incapacitated, died, or otherwise didn’t have an opportunity to
sanitize their computer first.

This reaction highlights significant issues for users who need to return a
company-owned device when they leave a job, or simply when it is time for
it to be replaced with a new model.

When asked what they would do to their computer first if their employment
ended, 60% would make a grab for their personal files. More than one-third
(35%) would also take company documents, including confidential data and
customer lists, despite it being a blatant act of theft, raising
significant concerns for employers over data security and compliance.

However, 27% would simply walk away from their work device, not taking
anything, including their own legitimate belongings, from the unit before
handing it back.

“Data protection is a big problem, and one that has been exacerbated by the
casual use of cloud file sharing services that can’t be centrally managed
by IT. Content controls are critical in ensuring data does not leak outside
the organization and doesn’t expose the business to legal and regulatory
compliance penalties. Furthermore, it is important that policies and
training lay down clear rules on use and reinforce the ownership of data,”
added Galindo.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!