Piggybacking on a study last month illustrating that remote workers are engaging in risky network behavior, Cisco...
this week released additional findings that show that those same workers are confused about IT's role in corporate security.
Jeff Platon, Cisco's vice president of security solutions marketing, said many remote workers feel that IT does not have a right to know how they are using their work PCs and the corporate network while they're working off site. Remote workers are also unsure exactly who is in control when it comes to network security. Platon called the findings "disconcerting."
"We're still getting used to the fact that today you have to take the same precautions in a virtual world as you would when you go to a shopping mall and lock your car doors," Platon said.
The study includes responses from more than 1,000 remote workers and 1,000 IT decision makers in 10 countries -- the U.S., U.K., France, Germany, Italy, Japan, China, India, Australia and Brazil -- and builds on previous research around the contradictions in remote workers' security awareness and actual behavior.
The first portion of the study, released last month, showed that many remote workers claimed they were aware of security concerns, but those workers admitted that they often engage in risky behavior while using corporate devices. Their behavior included hijacking a neighbor's wireless network, opening suspicious email, accessing corporate files with personal devices, and sharing work computers with non-employees. Many respondents offered explanations for their shady network behavior, including: "I don't think this behavior creates security risks -- My company doesn't know or wouldn't mind me doing so -- Other co-workers do it."
According to Platon, the new study asked the same remote workers their perceptions of IT's role in protecting them. IT professionals were also queried on how they see users perceiving their role.
Platon said the findings were startling and eye-opening. In six of the 10 countries, more remote workers felt their managers had more authority to control their network behavior than IT organizations did. In France, 38% of remote workers said their online behavior was no one's business; only 33% said IT had a right to monitor their network use.
Overall, a moderate number of remote workers felt that IT had the right to know how their work devices were being used, and the survey found that IT is pessimistic, feeling that remote workers wouldn't take their role in security seriously.
In the U.S., 66% of remote workers said IT has a right to know their network behavior, while only 50% of IT respondents agreed. Sixty-six percent of end users also said that it is IT's job to protect off-site; only 60% of IT respondents agreed.
Aside from managers and IT, 13% of all remote workers felt no one should control their use of corporate devices. In the U.S., 14% of respondents wanted no control; France topped the bill with 38% of remote workers saying that no one should control their device use.
The survey also discovered that the majority of remote workers think it is their manager, not IT, who is responsible for monitoring their use and ensuring they're not engaging in risky network behavior. When asked who should be keeping tabs on network and computer use off-site, 57% of remote workers said their managers, 51% said IT, 16% said co-workers, 14% said it's no one's business, and 8% said someone other than IT, their manager or co-workers.
Platon said these results show a disconnect and illustrate that IT has to be more proactive in getting the word out to end users and remote workers. The results also spotlight the influence that social and business cultures have on perceptions and behavior, he said.
"[End users] don't think of IT necessarily being experts in this area," Platon said. "Many end users think it's their managers' responsibility to monitor use. This is a call to action to understand that security really is everyone's job."
James Ballou, IS security specialist and the HIPAA security officer at Driscoll Children's Hospital in Corpus Christi, Texas, said the hospital's biggest concern when it comes to remote workers is ensuring that they have the appropriate level of access without posing a significant risk of exposing the network to attack.
"Selecting the method of remote access may be essential in ensuring that an infected remote host will not have an adverse effect on your internal network resources," Ballou said. "In some instances, it may be preferred that you deploy remote access to a location or user via Terminal Services or Reverse Proxies to limit access and prevent any undesired direct communications with internal assets."
Ballou said remote workers surfing potentially malicious and questionable Web sites is one common form of risky behavior. He added that connecting to remote wireless hot spots, allowing non-employees to use their laptops, and other behaviors also happen once in a while among Driscoll Children's Hospital's 200 to 300 remote workers.
"This type of behavior can often lead to malware being installed on the laptop," he said, "especially in circumstances where the laptops have been out of touch with corporate update servers."
Ballou agreed that in many instances, remote workers do not know who is responsible for security, but he said that communication can solve that problem.
"I think this has traditionally been true because IT security has not been directly involved with the customer base [remote workers]," he said. "In our organization, IT security is much more involved with the customer base through orientation, working on compliance issues as needed to correct policy violations."
In order to enforce security policies on remote workers, companies need to take a close look at organizational policies and procedures, according to Ballou, and they should implement technology that can help enforce policies.
"Depending on your organization, that may include software or hardware for passive monitoring and reporting, while for others it may mean proxies and agents that can apply the appropriate policies of each host," he said.
Another portion of the study found that help-desk calls from remote workers are on the rise. According to the study, 34% of U.S. IT shops surveyed reported a boost in help-desk calls from remote workers. India and China had the highest results, 55% and 48%, respectively.
The IT pros who indicated an increase in help-desk calls cited various reasons for the jump. Forty-seven percent said their incidents of viruses and/or worms increased; 53% said their incidents of adware and/or spyware increased; 50% noted an increase in spam and/or phishing; 25% said identity theft had increased; and 42% said they experienced more hacking incidents. In addition, 42% said end users are working remotely more often, and 36% said the number of security incidents and threats increase as the number of remote workers grows.
The study found that 66% of U.S. IT shops plan to increase security spending because of the boost in remote workers and potential network threats. Forty-four percent said remote workers will cause them to increase security spending by 10% or more; 22% said they will spend less than 10% more. In China, 90% of IT respondents expect to spend more money on security to accommodate remote workers.
Driscoll Children's Hospital is likely to spend more money on security because of remote workers, especially as technology improves, Ballou said.
"Most security solutions for portable computers provide limited functionality focusing on one or several aspects of security: antivirus, spyware, firewall, HIDS, encryption or endpoint device security," he said. "It would be preferred that one agent be able to provide all of the policy-based security required for a laptop that can be managed using one central administrative console. It is too cost-prohibitive in most circumstances to deploy and manage multiple solutions in order to get complete coverage for remote solutions."