20140224

What users don’t know can hurt them— And your businessAnalyzing Consumer IT Security Bad Habits ThatAre Coming Into The OfficeHarris Interactive Survey Results Revealed and Analyzed

2

WHAT KEEPS IT PROFESSIONALS UP AT NIGHT?

What keeps IT professionals up at night? Most of the time that answer is corporate employees. Specifically, the inevitable mistakes they make in how they use their devices and secure their data. Hackers regularly capitalize on employee naiveté regarding computer security. Spear phishing is defined, in part, as a targeted attack meant to infiltrate one specific company by preying on the ignorance of individual employees. Hackers design text that’s alluring to employees at a given organization, and they know that the chances of success are relatively high.In 2011, a hacker was able to steal information about the security schemes governing certain RSA security tokens. The hacker found a way into RSA’s systems via a phishing email sent to an RSA employee, according to a blog post on the RSA website in the days after the hacker’s work became public. Worrying about employees and their work habits in the office is not new to IT pros. What is relatively new is the ability for these employees to now become mobile. Long gone are the days when corporate data was confined to the office, easily controlled by IT staff. The security perimeter today reaches into coffee shops, airports and airplanes, not to mention employee-owned devices such as personal phones, tablets and laptops. IT teams want to enable productivity, but they don’t like corporate data stored in places they can’t control, with users prone to mistakes that put data at risk.

THE SECURITY PERIMETER TODAY REACHES INTO

COFFEE SHOPS, AIRPORTS AND AIRPLANES, NOT TO

MENTION EMPLOYEE-OWNED DEVICES SUCH AS PERSONAL PHONES, TABLETS AND LAPTOPS.

3

THE LAPTOP IS STILL THE PREFERRED WORK PLACE VEHICLE

While tablets and phones are gaining in popularity in the workplace, the laptop is still the preferred vehicle for doing work. IDC predicts there will be more than 240 million laptop users by 2017.

An October 1, 2013 article in Computerworld cites an IDC study showing people are not replacing their PCs with tablets; rather tablets are used to complement PCs. According to the story, ““Even with the focus on workplace productivity… only 8.7% of tablet buyers want to use the tablet as a replacement for their laptops. The same survey by IDC found that 58.5% of respondents bought a tablet to use in addition to a laptop, and not as a replacement.”The cloud and the Internet make it easier for users to do work outside of the office, on corporate or personal laptops. File sync and share services like Dropbox allow for easy access to connect from any Internet-accessible machine. Again, corporate IT understands the risk posed by file sync and share, but the services are an effective way to dramatically spike productivity.The convenience of file sync and share services is confirmed by the increased usage within organizations. In July 2013, Forrester Research called file sync and share “the hottest technology category since social networking.” A June 2013 report by Osterman Research charted the uptick in Dropbox users: “The service had four million users in January 2010, reached 25 million users by April 2011… and added its 100 millionth user in November 2012.”

“BOTTOM LINE: IF YOU NEED TO DO SERIOUS WORK, NEED POWERFUL PROCESSING OR MULTITASKING, OR NEED COMPATIBILITY

WITH A SPECIFIC ACCESSORY OR STORAGE DEVICE, THERE’S NO GOOD

ALTERNATIVE TO THE LAPTOP. TABLETS CAN FULFILL SOME OF THESE NEEDS

SOME OF THE TIME, BUT WHEN IT’S TIME TO GET THINGS DONE, THE LAPTOP STILL

REIGNS.” -BRIAN WESTOVER, 2013

4

CORPORATE DATA ENDS UP ON MULTIPLE DEVICES

Users prefer laptops to do work outside the office. Corporate data can end up being copied on multiple devices, including those company-owned and those that are not. That data goes with users everywhere and anywhere, and is prone to theft or loss. No matter how careful we are, laptops are lost and stolen all the time. In late 2013, an Intel commissioned survey by Ponemon Research found that 329 organizations had lost more than 86,000 laptops over a 12-month period, according to Information Week. Ponemon estimated a cumulative total cost of $2.1 billion ($6.4 million per organization), based on the research.The survey found that over a three-year period, laptops have a five to ten percent chance of being lost or stolen, and that only one out of every twenty lost laptops is ever recovered.IT pros hear of lost laptops all the time. They hope the incidents are not disasters. Maybe the laptop was owned by an employee and no corporate information was lost. Or maybe the hackers didn’t care about the corporate information on the machine, and it luckily didn’t contain any information requiring breach disclosure if lost.

5

WHAT ARE TYPICAL CONSUMER SECURITY HABITS?

Given the portable nature of work, the use of non-company devices and machines, and the ubiquity of access to the cloud as a way to transfer company information, end user habits regarding computer security are gaining importanance to IT pros. How consumers perceive IT security—their thoughts about ways to properly secure their own machines and the consequences of data loss—shed insight into how those consumers will care for corporate information when they take it out of the office. WinMagic recently took a deep dive into the issue of the typical computer user’s false sense of security. Working with Harris Interactive, the company surveyed more than 2,000 U.S. adults to see what data would be at risk if their computers were stolen or lost, and what type of security they have in place on those machines. We break down the results in this eBook, and we provide some advice to IT pros given our analysis of the data.We live in an environment where data breaches are reported every day. Many data breach notification laws and other regulations require companies to disclose the loss of company laptops containing sensitive information. The possibility of losing a computer should be very obvious to consumers, and one would hope that possibility would encourage them to carefully secure personal laptops—even desktops—and the information that resides on them. If you guessed that our survey results show that this is not the case, you would be correct.

DID YOU KNOW

1 in 10 laptops are lost or stolen over the

lifetime of the device

?

6

VERY LITTLE DATA IS PROTECTED WELL

WHAT DO YOU DO TO SECURE YOUR COMPUTER?

71%56%

46% 31% 14% 10% 10%use and update

firewall and anti-virus (AV)

softwareenter a password

install operating system (OS)

updates regularlychange

passwords regularly

encrypt lock device in a security case when not in use

not sure

One question in the survey asks consumers about the security controls in place to protect their laptops or desktops. The question reads: “In which of the following ways, if any, do you secure your personal laptop/desktop computer?” Respondents could select all answers that apply to them. The potential answers and breakdown of responses are listed below.

Slightly more than 70 percent of respondents use firewall and anti-virus (A/V) software to secure their computers. And greater than 85 percent do not encrypt the data on their computers. If their machines were lost or stolen, all of the information, personally identifiable and otherwise, would be up for grabs. Simply put, users are unaware of encryption technology. What users do not know or understand is that the other ways of “securing” computers are, in fact, not secure at all.

7

SECURE YOURSELF

As any IT pro knows, firewall and A/V software secures the computer only when it is on the Internet. This software is also only as good as the virus definitions, which need to be updated often but are typically forgotten. This software is good to have, but it is only active when the device is in the owner’s hands. It won’t help if the device is lost or stolen. It is great that 71 percent of respondents use firewall and A/V software, but WinMagic experts fear that this high percentage means that too many consumers think installing A/V software is enough. Truth be told, anti-virus software is the bare minimum.

FIREWALL AND A/V SOFTWARE

It is reassuring that 56 percent of respondents require a password at login to protect their computers. That number is much higher than expected, as it is far more convenient to boot straight into Windows and run the device. There is some level of security in having a password. However, Operating System (OS)-based passwords are very easy to circumvent. For example, a Windows login password is susceptible to many different exploits that can provide a hacker access to the information on the system. Just short of a third of respondents change their passwords regularly. Given how many times users are told to change their passwords, this number is alarmingly low. And those who change their password regularly are likely unaware that no matter how often the password is changed, if the device is lost or stolen, the password can be broken.

PASSWORD

71 percent of respondents use firewall and A/V softwareFACT

This software is only as good as the virus definitions, which need to be updated often, but typically forgotten.

FACT

TRUTH

56 percent of respondents require a password at login to protect their computers

There is some level of security in having a password, but for example, OS-based passwords are very easy to circumvent.

TRUTH

8

SECURE YOURSELF

Installing OS updates reduces the risk of online exploits for devices that are running, which can help ensure a device is not compromised. Similar to firewall and A/V software, the installation of OS updates should be part of a security posture, not the only security method.

INSTALLING OS UPDATES

Locking in a security case: Ten percent of respondents lock their laptop in a case when it is not in use. This is a great best practice as it makes the device harder to steal. However, if the case is cracked, the device and its data are an easy target.

LOCKING IN A SECURITY CASE

46 percent of respondents install operating system (OS) updates regularly

FACT

Installation of OS updates should be PART of a security posture, not the ONLY security method.

TRUTH

10% of respondents lock their laptop in a case when it is not in use. FACT

But...if the case is cracked, the device and its data are an easy target.

TRUTH

9

LOTS OF DATA AT RISK

The survey also asks consumers about the information on their computers. They were asked: Which of the following types of personal information, if any, would be at risk if your personal laptop/desktop computer or mobile device were stolen/lost? Again, respondents could select more than one answer from among a list of possibilities. The potential answers and breakdown of responses are listed below.

62% PERSONAL EMAIL

54% PICTURES AND VIDEO

39% LOGINS AND PASSWORDS

38% BANKING AND FINANCIAL INFORMATION

37% SOCIAL MEDIA ACCOUNTS

15% WORK-RELATED CONTENT

10

THE RESULTS OF THE SURVEY SHOULD SET OFF ALARM BELLS

All of that information can serve as proof of identity and makes an identity thief’s job easy. Therefore, all 40 percent of those consumers are at high risk of identity theft if their computers were lost or stolen, unless the devices are properly secured.

NEARLY 40 PERCENT OF RESPONDENTS NOTE A COMBINATION OF LOGIN NAMES; PASSWORD, BANKING AND FINANCIAL INFORMATION; AND SOCIAL MEDIA ACCOUNTS AS

POINTS OF CONCERN SHOULD THEIR COMPUTERS FALL INTO THE WRONG HANDS.

First off, 15 percent of respondents have work-related content on their personal machines. For IT pros and C-level execs, this means you should assume that at least one out of every ten of your employees has corporate information on their personal machines. One in three respondents said their login names, passwords and banking information would be at risk if their computers were lost or stolen.

End users likely do not realize that their web browsers store user names, passwords and logins across all visited sites if the user does not clear their browser cache. This includes banking sites. So while a user might not have a file named “passwords” on their desktops providing a central repository for all their account credentials, those passwords are easily accessible through a browser.

Similarly, 62 percent of respondents think their personal email would be at risk if their computers were lost or stolen. It is highly likely that 100 percent of computer users have accessed personal email on their machines at some point. Email is a great way for a computer thief to reset passwords. Once access to an email address is achieved, a thief can browse to a social media or other web-based account, click “Forgot Password” and enter

the email address. When the “Reset Password” email arrives in the corresponding inbox, the thief is easily able to gain access to the website account and reset the password.

11

BAD HABITS FOLLOW USERS INTO THE OFFICE

No surprise that the survey results demonstrate a general lack of understanding on consumer computer security. A significant percentage of consumers store banking information on their machines, and this could be a disaster if the machines get in the wrong hands. Yet, a very small percentage of consumers are encrypting their computers even though encryption is readily available to end users. Apple provides native encryption functionality within the OS; Microsoft has BitLocker for more recent Windows versions; and consumers can buy over-the-counter encryption software that’s inexpensive yet effective. As evidenced by the survey, most consumers do not know about encryption or feel encryption is not necessary, even though it is the best way to protect data at rest. It is the only failsafe way to safeguard data that might be stolen, since stolen encrypted data cannot be accessed by unauthorized users. Many regulatory schemes place data that is encrypted out of scope of the rules. For example, data that’s encrypted does not need to be reported if stolen or lost, according to a number of laws and regulations. [We are not lawyers, so any guidance regarding regulatory requirements should be cleared with a company’s legal team.]

12

BAD HABITS FOLLOW USERS INTO THE OFFICE

In the case of full disk encryption, the entire disk in a hard drive is encrypted—not just the data that’s written to it—blank space and all. Many of the survey respondents are likely full-time employees of a company. What this survey exposes is that people are simply not absorbing company security policies or best practices, nor do they truly understand how to secure their machines on their own. Such a reality is even more concerning given the fact that more than one out of every ten consumers has corporate data on their machines. Data breach notification laws and regulatory rules govern company data no matter where it resides—whether on company machines or not.As an example, in November 2013, Healthcare Informatics reported a data breach at the University of California at San Francisco (UCSF) when a physician’s personal unencrypted laptop was stolen. The breach compromised more than 8,000 personal and health information records. The organization notified the affected individuals and offered credit monitoring assistance, a costly initiative that may have been avoided if the laptop was encrypted

13

COMPANIES COME TO THE RESCUE

The message to IT Pros and C-level execs is simple: Assume your employees are doing work on their own machines. Assume they are accessing company information on their personal desktops and laptops. And assume that information is not secure.

The onus is on each business to educate its workforce, explaining corporate security policies and outlining IT security best practices inside and outside the office, on both company-owned and personal computers. Here are a few recommendations for IT Pros and C-level execs:1. Provide step-by-step encryption training: Employees are not encrypting their

machines and should be taught how to do so. If employees are trained, businesses can rest a little easier knowing corporate data saved on an employee’s computer is safe.

Many employees do not understand that encryption solutions today are easy to use—especially given that historically encryption was more complicated and slowed down machine performance.

To go further, build upon the encryption training by offering an annual course on general security best practices, teaching employees about the fallacies of a basic password login or anti-virus software as adequate protection.

2. Encourage regular password changes—across all devices, desktops and laptops: a company’s IT policy might dictate password changes for its users. Ask users to change passwords on their personal devices and computers together with work machines. Additionally, encourage strong passwords – not six-character words; think more along the lines of 15 character words/phrases with regular and special characters and case sensitivity. Reduce the risk of brute-force password attacks.

3. Consider an enterprise file sync and share solution. File sync and share is an integral part of a company’s IT today. Prohibiting use of such services will cause headaches for end users and complaints to IT—not to mention some end users will find ways around the prohibitions. Purchasing a managed file sync and share solution will enable employees to share work freely and keep corporate data safe.

EXPLORING CONSUMER BAD HABITS

REMINDS US OF THE IT SECURITY BEST PRACTICES

THAT SHOULD BE STANDARD AT

ANY COMPANY.

14

STREAMLINING DATA SECURITY FOR COMPANY MACHINES

WinMagic’s SecureDoc is a highly secure, yet flexible data security solution that enables businesses to comply with privacy and security regulations by protecting sensitive data residing in laptops, desktops, servers and on removable media.Easily deployed, SecureDoc maintains end user productivity and ensures maximum security and transparency in regular workflow while allowing businesses to deal with the heterogeneous nature of their IT environments. WinMagic understands that IT pros need solutions that are easy to use and do not create new problems for end users. SecureDoc encrypts data at rest without anyone (IT pros or end users) even knowing the data is actually encrypted. To do this, SecureDoc is the only data encryption and management solution that allows for pre-boot network authentication (PBNA) through its PBConnex feature. PBConnex utilizes network-based resources to authenticate users, enforce access controls and manage end point devices before the operating system loads. This unique and ground-breaking approach to Full Disk Encryption (FDE) management results in significant cost savings for organizations by streamlining both IT management and end user functionality.

15

READY TO LEARN MORE?

WinMagic provides the world’s most secure, manageable and easy-to-use data encryption solutions. With a full complement of professional and customer services, WinMagic supports more than 5 million SecureDoc users in approximately 84 countries. We can protect you too.

For more information on SecureDoc Enterprise Server contact sales@winmagic.com or visit our website to access a number of valuable resources:

PRODUCT PAGEhttp://www.winmagic.com/products

WHITE PAPERShttp://www.winmagic.com/resource-centre/white-papers

WinMagic Inc.

Phone: 905. 502. 7000Fax: 905. 502. 7001

Toll Free: 888. 879. 5879

sales@winmagic.com

www.winmagic.com

SOCIAL MEDIA

http://blog.winmagic.com/

http://www.facebook.com/WinMagicInc

http://www.linkedin.com/company/winmagic

http://twitter.com/winmagic

http://www.youtube.com/user/winmagicinc

WANT TO TRY OUR SOFTWARE?

CONTACT

CLICK HERE TO REQUEST A FREE EVALUATION