1. Sources
1.1. Cisco report Feb 2008
1.1.1. Annual study on the security awareness and online behavior of remote workers -- based on interviews with 2,000 telecommuters carried out by researchers from InsightExpress -- Cisco experts said that people appear to have acquired a false sense of security w
1.1.2. That's among the findings of the second annual survey of remote working commissioned by networking giant Cisco Systems, which paints a picture of general (and increasing) slackness about IT security threats. The poll of 2,000 remote workers and IT pros from ten countries, including the UK, found that many remote workers were happy to risk opening suspicious emails and attachments.
1.1.3. In fact, Cisco Systems Inc. today is releasing the results of a disturbing third-party study it commissioned over the summer which proves conclusively that -- in many businesses all over the world -- remote users are actually engaging in more insecure behavior than they did the previous year.
1.1.4. CISCO press release about the report
1.1.4.1. earlier report
1.1.4.2. report itself not rekeased
2. Conclusions and Actions
2.1. Perhaps the only way to improve the situation will be for companies to enact stricter usage policies for their remote works regarding corporate-owned devices and embracing continued education for end-users about the nature and prevalence of threats, Cisco officials maintain.
2.2. We need to continue to highlight the problems; companies are doing a much better job than they used to, but with all the blended threats, they need to reload and strengthen the human firewall, which is really the last line of defense," Gray said. "The companies that do the best job have ongoing continuing education for users that tells them that their computer is a business tool and who use monitoring tools to ensure that their security policies are being followed
2.3. Cisco is calling for greater security diligence so that firms and individuals can enjoy the benefits of remote working without exposing their organisations to security risks. Security awareness and education are at least as important as technology in these efforts, Cisco notes.
2.4. Companies also will need to do a better job of deploying remote security technology that limits what users can access via their work machines, Gray advises. "Education alone is not going to do it," he says. "There has to be a technology component as well."
2.5. At end of day it's not their computer, it's a business tool, and people need to understand how much risk their activity poses for their employers, and that they need some level of separation in terms of their personal use,
2.6. In response we have brought in a new infrastructure that allows remote access from anywhere but the services all operate within our data centre - the remote access is purely a Citrix window.
2.6.1. We can therefore completely control the resources available, including preventing printing, cutting, copying of data and even downloads onto those ubiquitous USB memory sticks."
2.7. backing up employee usage policies with automated enforcement systems can help mitigate the risk.
2.7.1. We deploy varying levels of remote access from basic Outlook web access to full blown VPN depending on the need. This impacts on the potential risk, ease of accessibility, the amount of support needed to maintain the systems and ultimately the cost
2.8. With secure VPN and disk encryption there is no reason why technically homeworking should be any less secure than in the office.
2.8.1. management
3. Freemind Flash
4. Behaviour or belief
4.1. The Internet is a safer place now
4.1.1. results from CISCO survey
4.1.2. In fact, in just one year's time, the number of respondents to the survey who expressed a belief that the Internet is "getting safer" increased from 48 percent 12 months ago to more than 56 percent in 2008.
4.1.3. Gray said the results of the study suggest that individuals are less frightened of Internet security issues than they were a year or two ago. "When they were getting hit by huge worms that extended across the Web, they were more cautious," he says. "But now, if they are not being affected by it personally, they feel safer. It's a silent problem, because they aren't hearing about it at a personal level."
4.1.4. Why?
4.1.4.1. The trend was particularly evident in some parts of the world where Internet use is growing the fastest, and where people believe that their governments are going to greater lengths to protect individual users, such as Brazil (71 percent), India (68 percent), and China (64 percent). In Brazil, for instance, where banking-password stealing Trojan virus attacks have finally been thwarted by stricter legal penalties for those creating the threats, people may falsely assume that it is now safe to let down their guard, according to Gray.
4.1.4.2. their government is doing more to protect them
4.1.4.3. With so many users engaging in risky activities, it seems odd that believe security is actually improving. What's behind such a disparity?
4.1.4.4. "We haven't seen major worms in a few years -- things have changed with the bad guys going underground using more stealthy methods," Grey told InternetNews.com. "With this reduction of gross attacks, we have a false sense of security among the user population."
4.1.4.5. The recent Storm worm has not proven a wake-up call because it's not of the same category as the Zotob, Blaster and Sasser worms of the past, Grey said. Those worms were harmful in that they shut down computers, so infection proved impossible to overlook.
4.2. User perception of acceptable use
4.2.1. One of the biggest problems contributing to the situation is the fact that many workers feel it is acceptable for them to use their work computers for their personal activities, such as shopping, interacting with friends, and searching the Web for popular information, the expert maintains.
4.2.2. number of remote workers who felt that it was acceptable to use their corporate devices for personal use, such as Internet shopping, downloading music, and social collaboration.
4.2.3. Other unsafe behavior included allowing non-employees to share an employer-owned PC. On a global basis, 21 percent of respondents admitted to the practice -- up from 20 percent in 2006. Additionally, 12 percent worldwide said they helped themselves to a neighbor's Wi-Fi connection, a 1 percent increase from the previous year.
4.2.4. The number of workers in the UK who admitted they "hijack" the wireless connection of others has gone up from six per cent to 11 per cent over the last 12 months. Globally the figure is 12 per cent*, with big increases all over the world.
4.2.5. Why?
4.2.5.1. Respondents also had an answer for why they shared their employer-owned PC with friends and family: 32 percent of those polled said they simply didn't see anything wrong with the practice.
4.2.5.2. The reasons offered for squatting a neighbour's wireless connection provide an insight into the thinking of remote workers. Answers offered in the survey included: "I needed it because I was in a bind", "It's more convenient than using my wireless connection", "I can't tell if I'm using my own or my neighbour's wireless connection" and "My neighbour doesn't know, so it's OK"
4.3. Willingness to open attachments or follow links
4.3.1. Although it is one of the age-old security risks, many remote workers admit that they still open suspicious emails and attachments despite the potential for triggering malware attacks. China (62 percent) is the most egregious offender. But arguably more disturbing is a growing trend in entrenched Internet-adopter countries like the United Kingdom (48 percent), Japan (42 percent), Australia (34 percent) and the United States (27 percent). For example, in Japan, 14 percent admit they open both an unknown or suspicious email and any attachments.
4.3.1.1. Nearly half (48 per cent) admitted to opening dodgy emails in the UK, something of a black spot for the issue. The US scored better (by comparison, at least) with 27 per cent of those surveyed admitting that they exposed themselves to this risk.
4.3.1.2. While the numbers of workers in the United States who are willing to open strange e-mails and attachments is far lower at 27 percent than in places like China (62 percent) and even the United Kingdom (48 percent), many people are still capable of falling for the time-honored ruse
4.3.2. The study found that remote workers regularly engage in risky behavior -- opening e-mails from unknown sources, using corporate PCs for personal activities and "hijacking" their neighbors' Wi-Fi connections.
4.3.3. Why
4.4. Use of personal devices for work purposes
4.4.1. In one interesting twist on the issue of corporate device use, Cisco's report found that more people than ever are also using personal devices that are not under the control or management of their IT departments to access their companies' networks and electronic files. Some 49 percent of those people responding to the survey admitted using their own machines to do so, an increase from 46 percent one year ago.
4.4.2. Accessing work files with personal, non-IT-protected devices: Accessing corporate networks and files with devices that are not protected by an employee's IT team presents security risks to the company, its information and its employees. As the number of remote workers grows, the study reveals an annual rise (45 percent in 2006 to 49 percent in 2007) in this behavior. It's widespread in many countries, especially China (76 percent), the United States (55 percent), Brazil (52 percent) and France (48 percent).
4.4.3. why?
4.4.3.1. Reasons Offered: "These devices are secure with antivirus and other content security software", "I regularly use these devices to access my network", "My IT department has said it's OK to do so".
4.5. No logical separation from work and play
4.5.1. In some cases, teleworkers will disconnect from their corporate VPN to shop online, then reconnecting afterward, Grey said. However, doing so could mean the user brings malware with them once they reconnect, endangering the corporate network.
4.5.2. "While working at home, people tend to let their guard down more than they do at the office, so adhering to security policies doesn't always intuitively seem applicable or as necessary in the private confines of one's home," Stewart said. "The blurring of the lines between work and home, and between business lives and personal lives, presents a growing challenge for businesses seeking to capitalise on the productivity benefits of the remote workforce."
4.6. Using work devices for and personal purposes
4.6.1. A 3 percentage-point increase year-over-year shows that more remote workers use corporate devices for personal use, such as Internet shopping, downloading music, and visiting social networking sites. This trend occurs in eight of the 10 countries, and the highest year-to-year spike occurs in France (27 percent to 50 percent). In Brazil, this trend rose 16 percentage points despite an increasing number of respondents agreeing that this was unacceptable behavior (37 percent to 52 percent year-over-year).
4.6.2. Reasons Offered: "My company doesn't mind me doing so", "I'm alone and have spare time", "My boss isn't around", "My IT department will support me if something goes wrong".
4.7. Allowing non-employees to borrow work computers and devices for personal use
4.7.1. As employees work more from home, the likelihood increases that they will share corporate devices with non-employees (e.g. family, roommates) who are not educated by IT or held to a company's security policies. This trend is increasing. While China features the highest rate of "device sharing" for the year (39 percent), the United Kingdom (from 7 percent in 2006 to 22 percent in 2007) and France (from 15 percent to 26 percent) reveal steep year-over-year increases.
4.7.2. Reasons Offered: "I don't see anything wrong with it", "My company doesn't mind me doing so", "I don't think it increases security risks", "Co-workers do it".
4.8. quick
4.8.1. careless computing habits and personal Internet activity carried out on corporate laptops
4.8.2. less diligent toward security awareness
4.8.3. believe that they are protected with best technology
4.8.4. users are actually behaving less responsibly,
4.8.5. careless
4.8.6. lax
4.8.7. The problem is that, despite this awareness, the incidence of insecure behavior is actually growing anyway.
4.9. more worried about data leakage than open networks
4.9.1. again
4.9.2. again
5. Trends
5.1. number of home or teleworkers in increasing
5.1.1. According to a 2007 Gartner report, "The worldwide corporate teleworking population of individuals that spend at least one day a month teleworking from home is expected to show a compound annual growth rate (CAGR) of 4.3 percent between 2007 and 2011. … In the same period, the worldwide corporate teleworking population of individuals that spend at least one day a week teleworking from home is expected to show a CAGR of 4.4 percent. This population will likely reach 46.6 million by the end of 2011."1
5.2. remote working is both a required and productive
5.2.1. "Remote access and distributed workforces are here to stay. They provide competitive advantages and greater operational efficiency," said John N. Stewart, Cisco's chief security officer. "Businesses have the opportunity to benefit from productivity increases while preventing security risks from undermining them. This study provides intelligence and recommendations for understanding and minimizing risks as businesses allow employees to branch out beyond the traditional office. It explores their remote workers' psyche and provides valuable information about their approach to security."
5.2.2. working from non-office locations is now a fact of life for most businesses and the risks must be mitigated against
5.2.3. Risks increased when we moved away from mainframes and proprietary networks to client devices, but the increased benefits hugely outweigh the downsides. Sensible policies, appropriate security and above all training can sufficiently mitigate."
5.3. blurring of boundaries between work and home
5.3.1. Perhaps even more importantly, the lines between home computing and work computing are beginning to blur, the study suggests. Nearly half (49 percent) of respondents now say they are using their own personal devices to access their work files, up from 45 percent a year ago. And some 48 percent of users now use their work computers to access personal files, up from 46 percent last year.
5.4. mellowing of security message
5.4.1. Despite widespread security awareness campaigns, many users believe that their company's security "messaging is mellowing," Gray says. The growing use of mobile devices and "Web 2.0" technologies such as social networking are driving users toward the Internet at a higher rate, but security policies and enforcement are perceived to be softer than they were a year ago, he suggests.
5.4.2. The messaging [from the corporation] needs to change," Gray said. "A lot of the awareness programs were written when viruses were the big problem, but you have to update your message as users move to things like Web 2.0. People have got to start to understand that the office PC is a business tool. You can't just use it whenever you want to upload the latest MP3 file or whatever."
6. Threat
6.1. malware
6.1.1. By using their company-issued devices to head to corners of the Internet where attacks are more prevalent -- such as on e-commerce sites, social-networking portals, and independent Web properties, workers are putting their employers at risk of exploit by malware and other threats
6.2. user misplaced confidence
6.2.1. false sense of security
6.3. over emphasis on perimeter security
6.3.1. less on computing habits or behaviour
6.3.2. what type of traffic is outbound?
6.4. use own device
6.4.1. using personal devices that are not under the control or management of their IT departments to access their companies' networks and electronic files.
6.5. Not convinced
6.5.1. blended threats
6.5.1.1. A blended threat is a malware that is made up of a combination of different malware components, such as, a worm, a trojan horse and a computer virus that uses multiple techniques to attack and propagate.
6.5.1.2. gsearch turns up lots of items here
6.5.2. social engineering
6.5.2.1. In addition to the growing number of threats being hosted on social-networking sites such as MySpace, Gray said that the personal data that people share about themselves and their employers on the sites poses a significant risk for the creation of targeted attacks.
6.5.3. information exposure
6.5.3.1. If an attacker can go to a site like LinkedIn and get a firm grasp on someone's role in an organization and figure out who they might communicate with in the firm, it could be fairly easy for them to create an attack that easily tricks the individual into opening an infected e-mail, according to the expert.
6.5.3.1.1. However, it would appear that even suspicious e-mail arriving from unknown senders, long the favorite delivery channel for malware and links to phishing sites, continues to stand as a problem
6.5.3.2. specific to remote working
6.5.4. data exposure
6.5.4.1. In addition to the growing number of threats being hosted on social-networking sites such as MySpace, Gray said that the personal data that people share about themselves and their employers on the sites poses a significant risk for the creation of targeted attacks.