Brits lack email security awareness – says a Cisco report

by Michael Smith

British workers are the most likely to open dodgy-looking emails than any other developed nation except the Chinese, according to new research by Cisco on the habits of corporate workers.

I must say that this finding does come at no surprise to this writer as I have seen this happening but the Brits are not alone here, of that I am sure. There are also enough of them in the United States who will do that and also fall for the kind of spam like “pass this on to 100 of your friends or your PC will blow up” and stuff like that.

While only 25% of US workers, 23% of French workers and 28% of Japanese admitted opening suspicious emails, the figure in the UK rose to 45%. Only the Chinese, at 54%, showed a higher level of curiosity.

Maybe the Brits are a little more honest than the workers from other countries when they answered the questions.

But although the Brits like to see the message text, they are better disciplined when it comes to opening unsafe attachments or going to websites of dubious origin. Only 3% admitted doing so – far fewer than most other countries. In Japan, 14% opened attachments, followed by India (11%), China (8%), Germany (6%) and Australia (5%). Only 2% of US workers admitted opening attachments or suspicious URLs.

The problem is that not all URLs are suspicious looking, and that is the problem here. However, the advice should be not to open attachments or follow links unless we know who sent them and that they are safe. If need be check back with the supposed sender.

The Cisco research marks the second year the company has surveyed attitudes in 10 industrial countries, questioning 100 IT decision-makers and 100 remote workers (end-users) in each country.

The survey also found an increase in workers using their work computers for personal use, such as shopping. In the UK, 43% of respondents said their company had no objection to them doing so.

It seems also that the lines between work and home computers are blurring, with a greater proportion of remote workers using personal devices to access work files, and work devices to access personal files than they did in 2006. That trend seems to be strongest in China and the US.

Because of this blurring trend devices such as the MXI Secure Stealth MXP loaded with MojoPac Enterprise desktop environment are so important nowadays. People use their own PCs to connect to networks of their companies and organizations and could, inadvertently introduce the gods only know what into the system. A secure desktop on a USB drive is the answer here. But, I digressed.

There is some risky behaviour about. We have more remote workers, and we are blurring the lines between personal and corporate assets. And with Web 2.0, everyone has hopped on the bandwagon of socialising with people around the world.

A lot of people at work feel comfortable because they believe their PCs are locked down tightly. With the threat vectors changing, however, we need to take a look at how to tackle such threat. This means that users have to be trained properly and that proper procedures and devices must be used to make things as secure as possible.

Hackers from around the world starting to use stealth tactics to get into networks and steal intellectual property. Who wants to pay millions in research and development when they can just go and steal the information?

Often poor security procedures are allowing hackers to penetrate networks and once inside, they escalate their privileges to become basically an unpaid systems administrator. They then grab the corporate data and remove it very slowly piece by piece, so that no one even knows that they have been there.

Technology and procedures can only do so much. A cultural and behavioural change needs to imposed in the organisation so that people understand the implications as to their own vulnerabilities.

People have to be made aware of the potential repercussions of any mistake or a "moment's lack of thought".

For compliance purposes organisations also need to be able to show they provide users with adequate training and information, so that they can prove good practice in the event of a security breach.

© M Smith (Veshengro), September 2008