Mobile workers put company data at risk, study says

IT pros are not following simple data security procedures and are ignorant or uncertain about what, if any, mobile security policies exist
  • John Cox (Network World)
  • 07 December, 2007 08:21

Despite highly publicized data breaches, mobile workers still endanger company data with risky behaviors, according to a new survey.

The Web questionnaire of 893 U.S. IT professionals, taken earlier in the northern autumn, found that mobile workers, including the IT professionals surveyed, are not following even simple data security procedures and are surprisingly ignorant or uncertain about what, if any, mobile security policies exist.

Yet perhaps more ominous is the fact that company mobile security policies are non-existent, ignored or are not enforced.

The study asked a sample of mainly US IT professionals, in a range of company sizes and industries, about seven data security practices, by them and by their co-workers. The practices were:

  • Copying company data to a USB memory stick.

  • Accessing Web e-mail accounts from company computers.

  • Losing or having stolen a mobile device with company data.

  • Downloading personal software, such as an MP3 player, to a company computer.

  • Sending business documents from your company e-mail to personal e-mail address.

  • Turning off company security settings.

  • Sharing passwords with coworkers.

The survey was created by the Ponemon Institute, a research firm specializing in privacy and information management. The Web questionnaire drew responses from 893 self-identified IT professionals, from a total random sampling of just more than 15,000 adults. The study was sponsored by RedCannon Security, a vendor of mobile access security applications for the enterprise. The latest results track with an earlier Ponemon study on "off-network security".

The report notes that this type of survey has several inherent limitations or potential biases that should make readers cautious about drawing inferences from the data. For example, "it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instructions." The accuracy of responses can also be affected by the degree to which the sample list is representative of individuals who are IT executives, and by external variables such as media coverage. Still another variable is whether respondents were truthful in their answers.

Even with these caveats, the survey results are troubling.

In the study, 39% of respondents, almost four out of 10, say they have lost (or had stolen) a mobile computing device of some kind, ranging from laptops to USB drives, that held sensitive or confidential company data (most of these are in fact lost rather than stolen). Of those, only 28% reported the loss right away. Thirty-four percent say they waited a "few days." Worse, 56% of all respondents say they believe their employer would never be able to figure out what kind of data was on the lost device.

Page Break

Problematic behaviors by mobile users are widespread, according to the survey.

For example, 51% of respondents -- company IT professionals -- say they have copied confidential data onto a USB memory stick. And 57% say others in their company do also. In some cases, this is allowed: 13% say it's officially permitted behavior, 23% say it's permitted if the data is encrypted. But 32% acknowledge it's forbidden, 22% say there's no data security policy at all, and 11% don't know one way or the other (numbers do not equal 100% because of rounding.).

When asked why copying is done if it's forbidden, 29% of the IT professionals say "If I didn't have the information, I would not complete my work on time." Another 21% say "no one really cares about compliance with this policy," and 40% say "the company does not enforce the policy." Those three reasons repeatedly surfaced, in roughly similar percentages, throughout the survey as the main reasons why these behaviors were widespread. Another recurring reason was "I am not aware of the policy."

As a result, the study notes that companies lack comprehensive mobile security policies, or systematic user training about them, or the means to enforce them, or some combination of these three. Only 10% of respondents say their company has a policy to deal with the loss of a portable storage device that contains sensitive company data, for example. Thirty-three percent say they're not aware of any company policy that restricts the copying of business information.

Other findings:

  • Downloading personal software to company-owned computing devices: 45% say they do it, and 60% say there is no stated policy against it.

  • Sending workplace documents to a home computer as an e-mail attachment: 33% say they do it, 48% are unsure whether it's forbidden to do so.

  • Sharing passwords with coworkers: 46% say they do it, 67% say they believe doing so is a violation of policy.

  • Turning off security settings or firewall on a workplace computer: 17% say they do it, and 80% say they are unsure whether it's a violation.