Study highlights the ups and downs of infosec management

A new study from Harris Interactive, sponsored by identity and access management firm Courion, offers some interesting insight into the risk profile of more than 2,000 adults.

The study was commissioned by Courion to focus on risky behavior, but CSO found it interesting for a completely different matter. The results offer an unfiltered view into how people think.

[Social engineering and phishing attacks are getting smarter, but are employers?]

When it comes to adults who were asked if they know at least one co-worker who is, or has, accessed company information that they shouldn’t have access to, or if they themselves are doing it, 74 percent of those who took part in the study disagreed with that notion. This is good news, as it shows that people for the most part can be trusted with access.

The down side to that is that 26 percent of the same group knew someone accessing data that they shouldn’t, or worse, they themselves were accessing the data. This is where many organizations struggle and stories of loss due to a trusted insider fall squarely into this group. Related to trusted access are two other questions — one detailing with job change, and the other outright theft.

Account management has always been an issue that any security organization needs to deal with. Once an employee leaves the job, their access to the network and corporate access needs to be revoked. However, according to the study, 16 percent of the adults questioned reported that they were still able to use old usernames and passwords, to access their former employer’s systems, applications, or customer accounts.

Moreover, 15 percent of them admitted that if they knew they were about to be fired, they would take company information such as customer data, prices lists, or production plans with them. Obviously, the upside of those stats is the fact that the majority had no access after leaving, and would not take sensitive information if they knew the axe was falling.

The picture painted here, again, is that people for the most part can be trusted, but there will always be an exception to the rule. This is why access controls and monitoring are important layers to any rounded network defense strategy.

“It’s worrisome that despite years of software development and awareness-building, many organizations still lack control and insight into the growing access risk within their own walls, said Chris Sullivan, vice president, advanced intelligence solutions at Courion in a statement on the data.

Risk from within is a topic that CSO covers extensively, the most recent example being a study last month from TNS Global. According to that study, 30 percent of those surveyed admitted they would open an email, even if they were aware that it contained a virus or was otherwise suspicious.

According to the Harris Interactive study, when asked if they’ve clicked on an email at work that was suspected of being a Phishing email or otherwise fraudulent, 21 percent of the respondents admitted to doing so. Further, the same group also said they didn’t inform IT of their actions.

“These are otherwise intelligent people who, if informed about the potential consequences of their actions, would do the right thing,” said Sullivan.

“Any employee may succumb to natural curiosity. Before curiosity kills the cat, organizations need to get their arms around this behavior. They need to educate their employees and use systems that eliminate risky activities.”