Bad behavior, not malware, puts more of your corporate data at risk

Bad behavior, not malware, puts more of your corporate data at risk

Summary: Personal cloud services, portable storage devices, and email are a company's worst enemies. Malware is much less of a problem than once thought.

TOPICS: Security, Cloud, Mobility

Although viruses and other malware apps still plague businesses, it is the poor habits of a company's employees that cause the most problems for corporate security staff. We all know that employees do dumb things and will continue to do so, no matter what we, as IT, try to do about it. There's no amount of lockdown that can prevent stupid*. A combination of training and strict policy are the only hopes for preventing chaos.

A recent report released by Globascape "reveals that employees rely on unsecured, consumer-grade tools to send sensitive corporate documents".

The survey consisted of responses from more than 500 professionals and yielded some interesting and disturbing results:

  • 63% of employees use remote storage devices to transfer confidential work files
  • 45% of employees use consumer sites like DropBox and
  • 30% of employees use cloud storage services
  • >60% of employees use personal email to transfer work info
  • Nearly 75% think IT approves of this behavior

Almost one-third of the employees who use their personal email to transfer work information, know that their email accounts have been hacked.

Some of you who read this will assume that BYOD is to blame here but that isn't the case at all. This survey didn't separate out those respondents with BYOD programs in place, so there's probably a mix of the two represented here. So no direct inferences can be made from these data about BYOD versus corporate-owned devices.

And I'm not sure that it matters for most users whether they're using corporate-owned devices or personal ones. If the app or service is available to them, they'll use it to work around corporate road blocks. In most cases, users are not using these services maliciously or with ill intent. They're simply using apps, services, and sites familiar to them.

"Millions of employees are actively using consumer-grade tools, like personal email, social media, and file sharing sites, to move confidential work files every day," said James Bindseil, president and CEO of Globalscape, a developer of secure information exchange solutions. "While the intent is typically harmless, these actions can have serious security and compliance ramifications."

And some enlightening file sharing statistics:

  • 48 percent of employees said that their companies have policies for sending sensitive files
  • 30 percent said that their companies don’t have policies in place
  • 22 percent were unsure whether a policy existed

"The information-sharing needs of today's workforce are rapidly evolving, and most organizations are failing to keep up," says Bindseil. "Employees need and expect instant access to information, and the ability to send and store files at the press of a button. When internal technology and tools come up short, employees will find a workaround."

While there are many reasons that employees find alternatives to their company-provided file-transfer tools, the biggest drivers are simplicity and ease of use. According to Globalscape's survey:

  • 52 percent said it's more convenient to use a tool that they know well
  • 33 percent reported that recipients have had trouble accessing files sent through the company system
  • 18 percent said they use alternatives because the company's tool does not offer mobile access

"Speed, simplicity, and mobile access are critical," said Bindseil. "If enterprises have any hope of managing and securing the sensitive data leaving their organization, they need to provide solutions that easily integrate into the daily routines of their employees."

In my opinion, it's difficult to monitor every employee's actions regarding file sharing, personal email, transfer of corporate documents via USB sticks, or writeable DVDs, or cloud services. And I believe that the problem has less to do with who owns the device and more about who's using it. It's a well-known fact that employees are the weakest security link. It is that single reason that phishing attacks and social engineering are so effective in circumventing multi-million dollar security initiatives.

The answer is training and well written, explicit policies regarding these services and actions. It's not enough to simply send out a memo once a year regarding employee behavior. Employees must be taught how to properly transfer files from one corporate location to another without using personal cloud services, to use corporate email services without compromising data, to deflect phishing and social engineering attacks, and to not transfer sensitive data, or any corporate data, via USB sticks or SD cards.

It isn't enough to say, "It's in the manual". Employees need training—training on corporate approved methods and on the policies regarding such activities. If no training exists, it's time to implement it. If no policies exist, it's time to write them.

I further suggest that companies discuss the needs of their employees with the employees and perhaps purchase tools and services that remove the need for circumventing corporate standards and security. If you believe that the numbers presented here are skewed or not applicable to your employees, conduct your own anonymous survey with your employees to find out for sure.

What do you think of the survey results? Do you know of coworkers who use these "forbidden" services or tools? Do you, yourself, use such services or tools? Talk back and let me know.

*A Ron White reference for fans ("You can't fix stupid").

Topics: Security, Cloud, Mobility


Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • stupid is as stupid does

    Some people will go to great lengths to go around your best laid security plans. This however goes beyond stupid. If they were merely stupid they wouldn't have succeeded in dodging the rules. They're maliciously stupid... determined to do it their way regardless of what they have been told and warned about. They are just as likely to be the entry point for malware as well, god bless em.

    No, you can't fix stupid.
  • @greywolf7

    Exactly. That's why good instructor led training and well-written policies are a must.
  • Umbrellas are useless in hurricanes

    All the training and policies are not going to change habitual mindless irresponsible idiots that are in the work force.
  • Who is the Stupid One.

    I just hate it when you IT types think that your GOD and all us PEONs need to follow your archaic rules. Just give us tools that work. Wow, my personnel email can be hacked!, But my corporate email can not? Who says DROPBOX is less secure than a corporate server? I will continue to use my USB stick until you pry it from my cold dead fingers!

    IT need to remember, they work for us, not the other way around.
    • If you really act like that, you're the stupid one

      IT have policies in place normally to protect the business from its users. Using googles cloud storage? Google can read and own (IP wise) everything you put up there (not picking on google others are equally guilty of it) and by you clicking the I agree button you signed you're employer up to that.

      Anything can be hacked but its about confirmation to industry standards and ensuring legal protection, in some industries the behaviors you describe would be grounds for automatic firing.

      IT should provide alternatives to deliver the tools and flexibility needed (the good ones do) however users have to accept that there needs to be some behavioral conformity
    • You workers need to remember, we work together - we don't work for you.

      Actually, we usually work for people way above your station, and if they say no USB sticks because it lets data out the door, then you either deal with it, or leave. You seem to forget - this is NOT your data by any sense of the word. It belongs to someone else.

      You're just paid to use it as directed, nothing more. If that doesn't sit well with you, I'm sure the company will find someone to replace you.
    • How about working with IT?

      If you find that some IT policy or outdated tool you use is affecting your ability to do your job then why not try working with the IT dept. instead of against them all the time? They may be able to shed some light on why things are the way they are, things you're not privy to, other considerations you may not be aware of. IT is not your enemy, they just live in it everyday and have to take the whole system into consideration with virtually everything they implement, something I don't think the average user is aware of. Sometimes it seems that some users think they should be allowed to just "wave their arms around" and everything should do what they want. This isn't magic we're dealing with, it's technology, and far far more is going on "under the hood" than what most users realize. S'all ahm sayin...
      • work with IT

        An old story from early in my career.

        I worked in a departments which prepared two reports for the CFO each quarter. To do so we needed to pull data from a 1,000+ page mainframe print job every quarter. We asked MIS/DP (direct ancestor of current IT) for electronic copies of those reports. No can do because MIS/DP couldn't control how those electronic files were used. Apparently they had no role in how the exact same data in hardcopy was used.

        Ad hoc solution: another guy in the dept had a PC with an IRMA board and a printer. MIS/DP set up his printer as a mainframe printer. That meant he had access to the spooled print job, so he downloaded it. He passed it to me via tape drive. I parsed it into usable form using awk. 30 hours/quarter reduced to 2 hours (most of the time was due to the tape drive transfer).

        When MIS/DP found out, their head was pissed, but the CFO and CEO told MIS/DP that we could continue using the home-brew process until they provided us an alternative which took no more than 2 hours/quarter. That took them a year.

        Maybe that was because it was the early years of the PC era, and the mainframe folks just hadn't come to terms with PCs. Still, I always recall this whenever anyone mentions working WITH IT. Circumstances may have changed, but the mindset lingers on.

        Why doesn't IT go to every other dept at least twice a year and ask what they spend most of their time doing?
        • Good example..

          I'm sure many related ones can be found today. I remember when the Army resisted going PC in the '90s, but it was a losing battle, because even the company commanders could see the advantages outweighed using the old system. Security wasn't as much of a problem then, as few were on the up and coming internet. A few years earlier than that, document transmission was over POTS and dedicated phone line that was even more secure than today.

          However, in the DOD sneaker net, I saw my 1st virus coming from a Ft. Lee Virginia floppy, that hosed our SASS mini-main frame - so much for using the Army way of doing things!!
    • continue to use my USB stick until you pry it from my cold dead fingers!

      No problem, that can be fixed.
      With Epoxy or a hatchet or a pink slip.

      Definitely have used epoxy to seal USB ports, have seen people fired for refusing to adhere to policy. I still think the hatchet would work. :-)
      • Perhaps, a less destructive approach to USB sticks ...

        As an example.

        P.S. Ken Hess, why not include the acronym, BYOC, for cloud-based services, including storage and email. Organizations can block web browser access to both webmail and online storage services. They can also choose to purchase Chromebooks and/or Chromeboxes for employee access to personal email in the lunch or break room. Also, an employee's USB stick falls under BYOD, IMO.

        P.P.S. The recent Target breach, which appears to be one of many similar breaches, resulted from IT organizations (although it's possible that the CFO didn't authorize funds for shoring up cyber-defenses). Ditto for the Bit9 hack, which enabled the miscreants to attack selected Bit9 customers.
        Rabid Howler Monkey
    • If it was as easy as that

      then there wouldn't be IT specialists in the first place.

      Of course IT supports the business - just not you at the expense of everyone else.

      Stop being selfish please. Just pause, think, and ask questions instead.

      And yes, dropbox is less secure than a corporate server, because the corporate server is setup with your organisation's risk profile, and supports other privacy and legislative obligations that do not apply to dropbox. There is also the rights of your organisation to protect its intelectual property to consider.
  • Some do a great job!

    I consulted to a large financial firm for a while. They have over 60,000 employees world-wide. They're the kind of place that hired me, started paying me the moment I walked in the door, and insisted that I take all their "security" training before I was given access to any of their system. The training included topics such as: What is private, confidential, and sensitive information, and how I must treat each type of info; proper use of company equipment (such as laptop, network, etc)., and even a course on social engineering and how it affects the company.

    When I finally got access to their systems, I noted none of my devices could access their network, the laptop was thoroughly locked down. Even USB ports would not recognize a USB stick.

    I was in their Security Governance department. I was there with a team to rewrite the corporation's security policy and security standards. These guys were doing a good job, and getting still better at it. They even compensated for "stupid" through a combination of training, data and hardware lock-down, and ongoing monitoring.

    It can be done. It's just not easy, and it costs a lot to do it right.
  • I agree. Security is quite difficult, for a lot of reasons.

    Regarding the post itself. Malware definitely is a factor but it is usually a factor because of behavior.

    "Bad" behavior isn't always because people are stupid or malicious. The formula is that Convenience = 1 / level of security. Most people just love convenience. If you make things too inconvenient (more security) they will find a workaround resulting in less security. If you start with lax security you have lax security.

    I think companies need to really think about what is really important to secure and put their efforts there. Don't sweat the small stuff. Tight security where it really counts and less security where it doesn't. For example it really doesn't make a lot of sense to secure the kind of information covered by a patent. A patent is a disclosure of information with protections on it. Now if you have IP which is a trade secret (formula for Coca Cola for example) you had better put wall after wall of inconveniences in place.

    Malware have issues outside of corporate espionage. Malware can be very disruptive once it spreads throughout a company. So we need to keep guarding for malware regardless of behavior policies.
  • Consequences

    Training is the start, and if you do it right, and have good employees it will work, but there is one additional factor that is needed....consequences.

    Those who violate the policy need to be fired, and that fact made known throughout the company.

    "John Smith was fired for violation of the company's information security policies. Don't be like John Smith."

    A few of those and things will get better quickly. You can train them all you want, but they have to care.