Threat Landscape
Data Leaks, Mobile Workers, and Risky Small Business—Key Findings of Annual User Study
Each year, Trend Micro polls 1600 corporate end users in the U.S., U.K., Germany, and Japan to better understand their perceptions of and experiences with Web threats as they relate to the workplace. Respondents are grouped according to company size, with a small company defined as less than 500 employees in the U.S., U.K., and Germany and less than 250 employees for Japan. A total of 800 computer users from small companies across the U.S., U.K., Germany and Japan were surveyed. The results were then compared to previous studies conducted in 2006 and 2007 to monitor trends. The following article highlights several key findings from 2008 survey results.Data Leaks—A Growing ConcernFor the first time in the Corporate End User Study, Trend Micro surveyed computer users about the prevalence of data leaks within their business environments. Data leaks occur when employees leak sensitive information about customers, finances or intellectual property in violation of security policies or even regulatory requirements. Surprisingly, authorized personnel cause most corporate data breaches—probably because employees have easy access to valuable corporate data. Despite the fact that corporate enterprises have deployed protective measures such as virtual private networks (VPNs), firewalls, and network monitoring to prevent unauthorized external access to proprietary information, these solutions fail to adequately address the rising threat from internal users. Leaks can occur either through deliberate policy breaches, such as stealing data for financial gain, or by accident, such as an employee misplacing a thumb drive or losing a laptop containing customers' account numbers.The explosion of messaging systems, wireless networking, and USB storage devices has also made protecting critical corporate information increasingly difficult. And growing numbers of telecommuting and traveling employees have increased mobile device use and the tendency to transmit sensitive information via email. This creates a challenge for today's companies to protect against the loss or theft of corporate data assets—either by employees or contractors.Because data leaks are becoming an increasing concern, Trend Micro polled end users to determine if users understand which information within their organization is considered confidential and therefore worthy of protection. According to the survey, U.S. end users are more likely than end users in the U.K. or Japan to identify confidential company data. Perhaps this is because U.S. companies adopted the Internet within the workplace early on and therefore developed more policies and regulations to govern the use of proprietary and confidential data.The survey also indicates that end users in large companies in Japan better understand what constitutes confidential company data, compared to smaller organizations. This may be due to the greater likelihood that large companies conduct compliance training compared to smaller organizations, increasing the probability that users would better understand which information is considered confidential. The survey also noted that laptop users in the U.S. and U.K. are more likely to fully understand which information is confidential than desktop or workstation users in those countries.Perhaps most alarming was the percentage of users who reported leaking data. Overall, in all countries surveyed, six percent of end users admitted to leaking confidential information outside the company. This is especially disconcerting because the survey was based on self reporting, which would indicate that actual numbers are probably much higher since most people would not admit leaking confidential information.Also, while six percent of end users admitted to having leaked company information, 16 percent believe other employees caused data leaks. Interestingly, end users in the U.S., U.K., and Germany are more likely to admit to leaking company data, either intentionally or accidentally, than end users in Japan.According to the survey, in all countries, it is more common for large organizations to have established preventative policies than small companies. However, the survey also indicates that employee data leaks are believed to be more common in large organizations. This might indicate that data leaks occur, regardless of whether companies have set policies.The survey also asked end users about the amount of training they received to prevent data leaks. According to survey results, one in seven U.S. end users has been trained on their company's data leak policy and significantly more users in the U.S. have been trained, compared to the U.K. In all countries, a majority of trained end users think they would score highly if tested on their company's data leak policy.The survey results indicate that companies, particularly small businesses, can be more proactive in preventing data leaks. The increasing challenge to effectively manage data breaches is becoming a serious security concern to companies forced to comply with strict government regulations regarding data handling, such as the Gramm-Leach-Bliley Act, the European Union Directive on Data Protection, Sarbanes-Oxley, and the Health Insurance Portability and Accountability Act (HIPAA). Failing to comply can trigger fines and litigation, not to mention brand damage and negative press.Laptop Users' Activities Differ by CountryAccording to the survey, in the U.S., laptop end users are not any more likely to use the Internet for personal reasons while off the company network compared to when they are on the network. UK laptop end users, however, are more likely to check personal email and browse Web sites while connected through their company's network. German and Japanese laptop end users are more likely to download executable files while connected through their company's network—perhaps indicating that users in both countries have faster Internet connections at work. Interestingly, Japanese laptop users are less likely than laptop users elsewhere to connect to the Internet outside the company network, and U.S. users are more likely to connect at airports.In the U.K., Germany, and Japan, mobile users are more likely than desktop users to send confidential information via Instant Messaging or Webmail.Risky BusinessAccording to the survey, in the U.K., Germany, and particularly in Japan, employees of small companies take more online risks while on the company network compared to their counterparts in larger organizations. The study found that certain risky activities such as browsing Web sites unrelated to work, shopping online, visiting social networking sites, downloading executable files, and checking personal Webmail are more likely to occur amongst small businesses.For example, 32 percent of U.K. small business employees admitted to downloading executable files that can potentially lead to Trojan or virus attacks and, ultimately, identity and data theft. Checking personal email is the most popular non-work related online activity for German workers, especially at smaller companies—70 percent of small-business employees check personal email at work, compared to 59 percent in large companies. In Japan, the study revealed that most personal Internet activities that occurred were more likely to happen in small businesses.Despite a higher level of risky online behavior occurring, only about 50 percent or fewer end users within small companies had an IT department, which may explain why spam, phishing, and spyware were more commonly reported within these companies compared to larger organizations.In all countries surveyed, small organizations are less likely to have established preventative policies than large companies. This probably explains why the survey found that small company end users in Japan are less aware of confidential data concerns compared to end users in larger organizations. Only 33 percent of small business end users said they understood what constitutes confidential company data compared to 46 percent from large companies. This held true for users in both the U.S. and the U.K. as well, but the disparity was less.
Data Leaks, Mobile Workers, and Risky Small Business—Key Findings of Annual User Study
Each year, Trend Micro polls 1600 corporate end users in the U.S., U.K., Germany, and Japan to better understand their perceptions of and experiences with Web threats as they relate to the workplace. Respondents are grouped according to company size, with a small company defined as less than 500 employees in the U.S., U.K., and Germany and less than 250 employees for Japan. A total of 800 computer users from small companies across the U.S., U.K., Germany and Japan were surveyed. The results were then compared to previous studies conducted in 2006 and 2007 to monitor trends. The following article highlights several key findings from 2008 survey results.Data Leaks—A Growing ConcernFor the first time in the Corporate End User Study, Trend Micro surveyed computer users about the prevalence of data leaks within their business environments. Data leaks occur when employees leak sensitive information about customers, finances or intellectual property in violation of security policies or even regulatory requirements. Surprisingly, authorized personnel cause most corporate data breaches—probably because employees have easy access to valuable corporate data. Despite the fact that corporate enterprises have deployed protective measures such as virtual private networks (VPNs), firewalls, and network monitoring to prevent unauthorized external access to proprietary information, these solutions fail to adequately address the rising threat from internal users. Leaks can occur either through deliberate policy breaches, such as stealing data for financial gain, or by accident, such as an employee misplacing a thumb drive or losing a laptop containing customers' account numbers.The explosion of messaging systems, wireless networking, and USB storage devices has also made protecting critical corporate information increasingly difficult. And growing numbers of telecommuting and traveling employees have increased mobile device use and the tendency to transmit sensitive information via email. This creates a challenge for today's companies to protect against the loss or theft of corporate data assets—either by employees or contractors.Because data leaks are becoming an increasing concern, Trend Micro polled end users to determine if users understand which information within their organization is considered confidential and therefore worthy of protection. According to the survey, U.S. end users are more likely than end users in the U.K. or Japan to identify confidential company data. Perhaps this is because U.S. companies adopted the Internet within the workplace early on and therefore developed more policies and regulations to govern the use of proprietary and confidential data.The survey also indicates that end users in large companies in Japan better understand what constitutes confidential company data, compared to smaller organizations. This may be due to the greater likelihood that large companies conduct compliance training compared to smaller organizations, increasing the probability that users would better understand which information is considered confidential. The survey also noted that laptop users in the U.S. and U.K. are more likely to fully understand which information is confidential than desktop or workstation users in those countries.Perhaps most alarming was the percentage of users who reported leaking data. Overall, in all countries surveyed, six percent of end users admitted to leaking confidential information outside the company. This is especially disconcerting because the survey was based on self reporting, which would indicate that actual numbers are probably much higher since most people would not admit leaking confidential information.Also, while six percent of end users admitted to having leaked company information, 16 percent believe other employees caused data leaks. Interestingly, end users in the U.S., U.K., and Germany are more likely to admit to leaking company data, either intentionally or accidentally, than end users in Japan.According to the survey, in all countries, it is more common for large organizations to have established preventative policies than small companies. However, the survey also indicates that employee data leaks are believed to be more common in large organizations. This might indicate that data leaks occur, regardless of whether companies have set policies.The survey also asked end users about the amount of training they received to prevent data leaks. According to survey results, one in seven U.S. end users has been trained on their company's data leak policy and significantly more users in the U.S. have been trained, compared to the U.K. In all countries, a majority of trained end users think they would score highly if tested on their company's data leak policy.The survey results indicate that companies, particularly small businesses, can be more proactive in preventing data leaks. The increasing challenge to effectively manage data breaches is becoming a serious security concern to companies forced to comply with strict government regulations regarding data handling, such as the Gramm-Leach-Bliley Act, the European Union Directive on Data Protection, Sarbanes-Oxley, and the Health Insurance Portability and Accountability Act (HIPAA). Failing to comply can trigger fines and litigation, not to mention brand damage and negative press.Laptop Users' Activities Differ by CountryAccording to the survey, in the U.S., laptop end users are not any more likely to use the Internet for personal reasons while off the company network compared to when they are on the network. UK laptop end users, however, are more likely to check personal email and browse Web sites while connected through their company's network. German and Japanese laptop end users are more likely to download executable files while connected through their company's network—perhaps indicating that users in both countries have faster Internet connections at work. Interestingly, Japanese laptop users are less likely than laptop users elsewhere to connect to the Internet outside the company network, and U.S. users are more likely to connect at airports.In the U.K., Germany, and Japan, mobile users are more likely than desktop users to send confidential information via Instant Messaging or Webmail.Risky BusinessAccording to the survey, in the U.K., Germany, and particularly in Japan, employees of small companies take more online risks while on the company network compared to their counterparts in larger organizations. The study found that certain risky activities such as browsing Web sites unrelated to work, shopping online, visiting social networking sites, downloading executable files, and checking personal Webmail are more likely to occur amongst small businesses.For example, 32 percent of U.K. small business employees admitted to downloading executable files that can potentially lead to Trojan or virus attacks and, ultimately, identity and data theft. Checking personal email is the most popular non-work related online activity for German workers, especially at smaller companies—70 percent of small-business employees check personal email at work, compared to 59 percent in large companies. In Japan, the study revealed that most personal Internet activities that occurred were more likely to happen in small businesses.Despite a higher level of risky online behavior occurring, only about 50 percent or fewer end users within small companies had an IT department, which may explain why spam, phishing, and spyware were more commonly reported within these companies compared to larger organizations.In all countries surveyed, small organizations are less likely to have established preventative policies than large companies. This probably explains why the survey found that small company end users in Japan are less aware of confidential data concerns compared to end users in larger organizations. Only 33 percent of small business end users said they understood what constitutes confidential company data compared to 46 percent from large companies. This held true for users in both the U.S. and the U.K. as well, but the disparity was less.
