NYMITY | Corporate End User Survey: Employee Online Behavior

Title:	Corporate End User Survey: Employee Online Behavior - Trend Micro
Date:	06/09/10
Business Activities:	Data Loss Prevention
Impact to Subscriber:	Employees focus more on individual concerns and conveniences than their company's overall IT security - 60% of mobile workers and 44% of stationary workers have sent out company confidential information via instant messaging, Web mail or social media applications, and 10% of users override corporate security to access restricted websites. Concerns with phishing, malware and spam include loss of personal information, violation of corporate IT security policies, malicious downloads, and IT tightly monitoring the end user's web activities. To protect the business, keep computer and server software up-to-date and patched, use a security solution that includes URL filtering and cloud-based protection, and educate employees on spam prevention.

Authority:

Risk Guidance:

Control Guidance:

Relevance:

Background Facts:

Trend Micro surveyed 1600 employees with computer access in the U.S., U.K., Germany and Japan on employee online behavior.

Relevance to Business Activity:

data loss prevention considerations:
- use of electronic communication for confidential information:
  - laptop users who can connect to the internet outside of the company network are more likely to share confidential information:
    - percentage of end users who send out company confidential information by:
      - instant messenger:
        US:
        28% of mobile laptop users; and
        18% of employees always connected via the company network.
        UK:
        23% of mobile laptop users; and
        19% of employees always connected via the company network.
        Germany:
        42% of mobile laptop users; and
        24% of employees always connected via the company network.
        Japan:
        49% of mobile laptop users; and
        28% of employees always connected via the company network.
      - webmail:
        US:
        45% of mobile laptop users; and
        34% of employees always connected via the company network.
        UK:
        53% of mobile laptop users; and
        38% of employees always connected via the company network.
        Germany:
        64% of mobile laptop users; and
        44% of employees always connected via the company network.
        Japan:
        71% of mobile laptop users; and
        48% of employees always connected via the company network.
      - social media:
        US:
        17% of mobile laptop users; and
        15% of employees always connected via the company network.
        UK:
        23% of mobile laptop users; and
        16% of employees always connected via the company network.
        Germany:
        30% of mobile laptop users; and
        17% of employees always connected via the company network.
        Japan:
        36% of mobile laptop users; and
        17% of employees always connected via the company network.
    - overall use of electronic communication to send confidential information:
      - 60% of mobile laptop users; and
      - 44% of employees always connected via the company network.
- leakage of company confidential data:
  - overall, 5% of end users admit to having leaked company confidential information:
    - has the end user ever leaked out company confidential data:
      - US - 6%;
      - UK - 7%;
      - Germany - 5%; and
      - Japan - 3%.
    - data leaks have been caused accidentally and intentionally:
      - US:
        3.2% were accidental; and
        2.2% were intentional.
      - UK:
        5.3% were accidental; and
        1.5% were intentional.
      - Germany:
        2.5% were accidental; and
        2.2% were intentional.
      - Japan:
        1.8% were accidental; and
        1.3% were intentional.
- knowledge of company data:
  - some end users do not know what types of company data are confidential and proprietary:
    - percentage end users that know what data are confidential and proprietary:
      - US - 65%;
      - UK - 68%;
      - Germany - 63%; and
      - Japan - 37%.
- activities done while on the corporate network:
  - the following activities were done by end users in the US:
    - checked personal e-mail:
      - 58% using a desktop; and
      - 74% using a laptop.
    - browsed websites not directly related to their job:
      - 45% using a desktop; and
      - 58% using a laptop.
    - do personal online banking or bill paying:
      - 33% using a desktop; and
      - 45% using a laptop.
    - watched/listened to streaming audio and/or video:
      - 25% using a desktop; and
      - 33% using a laptop.
    - visited social networking sites:
      - 16% using a desktop; and
      - 32% using a laptop.
    - made a non-business related online purchase:
      - 26% using a desktop; and
      - 36% using a laptop.
    - downloaded executable files:
      - 15% using a desktop; and
      - 28% using a laptop.
    - used instant messaging:
      - 15% using a desktop; and
      - 21% using a laptop.
    - downloaded music or movies:
      - 4% using a desktop; and
      - 13% using a laptop.
    - made VOIP calls:
      - 3% using a desktop; and
      - 5% using a laptop.
    - participated in online gambling or gaming:
      - 2% using a desktop; and
      - 4% using a laptop.
- concerns regarding phishing include:
  - loss of personal information:
    - US - 48%;
    - UK - 45%;
    - Germany - 42%; and
    - Japan - 32%.
  - violation of corporate IT security policy:
    - US - 42%;
    - UK - 27%;
    - Germany - 35%; and
    - Japan - 22%.
  - loss of corporate information:
    - US - 34%;
    - UK - 28%;
    - Germany - 35%; and
    - Japan - 19%.
  - IT tightly monitoring the end user's web activities:
    - US - 27%;
    - UK - 15%;
    - Germany - 25%; and
    - Japan - 21%.
  - malicious download:
    - US - 26%;
    - UK - 17%;
    - Germany - 19%; and
    - Japan - 18%.
- concerns regarding spyware include:
  - loss of personal information:
    - US - 46%;
    - UK - 39%;
    - Germany 37%; and
    - Japan - 33%.
  - violation of corporate IT security policy:
    - US - 36%;
    - UK - 36%;
    - Germany - 36%; and
    - Japan - 32%.
  - malicious download:
    - US - 33%;
    - UK - 26%;
    - Germany - 27%; and
    - Japan - 25%.
  - loss of corporate information:
    - US - 32%;
    - UK - 32%;
    - Germany - 38%; and
    - Japan - 29%.
  - IT tightly monitoring the end user's web activities:
    - US - 31%;
    - UK - 33%;
    - Germany - 38%; and
    - Japan - 24%.
- concerns about viruses and Trojans include:
  - malicious download:
    - US - 56%;
    - UK - 47%;
    - Germany - 48%; and
    - Japan - 25%.
  - loss of personal information:
    - US - 36%;
    - UK - 30%;
    - Germany - 36%; and
    - Japan - 24%.
  - violation of corporate IT security policy:
    - US - 34%;
    - UK - 32%;
    - Germany - 39%; and
    - Japan - 29%.
  - loss of corporate information:
    - US - 29%;
    - UK - 30%;
    - Germany - 39%; and
    - Japan - 21%.
  - IT tightly monitoring the end user's web activities:
    - US - 22%;
    - UK - 17%;
    - Germany - 32%; and
    - Japan - 24%.
- concerns about data stealing malware include:
  - loss of personal information:
    - US - 56%;
    - UK - 63%;
    - Germany - 42%; and
    - Japan - 43%.
  - loss of corporate information:
    - US - 53%;
    - UK - 56%;
    - Germany - 57%; and
    - Japan - 46%.
  - violation of corporate IT security policy:
    - US - 42%;
    - UK - 44%;
    - Germany - 45%; and
    - Japan - 39%.
  - malicious download:
    - US - 42%;
    - UK - 35%;
    - Germany - 35%; and
    - Japan - 29%.
  - IT tightly monitoring the end user's web activities:
    - US - 29%;
    - UK - 21%;
    - Germany - 25%; and
    - Japan - 18%.
- concerns about spam include:
  - violation of corporate IT security policy:
    - US - 24%;
    - UK - 22%;
    - Germany 28%; and
    - Japan - 20%.
  - malicious download:
    - US - 23%;
    - UK - 17%;
    - Germany - 16%; and
    - Japan - 15%.
  - loss of personal information:
    - US - 16%;
    - UK - 11%;
    - Germany - 16%; and
    - Japan - 11%.
  - IT tightly monitoring the end user's web activities:
    - US - 15%;
    - UK - 12%;
    - Germany - 21%; and
    - Japan - 21%.
  - loss of corporate information:
    - US - 11%;
    - UK - 9%;
    - Germany - 11%; and
    - Japan - 10%.
- overriding company security:
  - percentage of end users who have tried to override the company's security in order to access a certain website:
    - US - 8%;
    - UK - 11%;
    - Germany - 12%; and
    - Japan - 8%.
  - frequency of trying to override security:
    - more than once a week - 21%;
    - a few times per month - 25%;
    - occasionally throughout the year - 18%; and
    - intermittent use - 36%.
- how to protect the business:
  - keep computers and servers current with the latest software updates and patches:
    - apply the latest security updates and patches to software programs and operating systems; and
    - enable automatic updates where possible.
  - employ a multi-layered defense to secure computers, servers and the network:
    - block threats with a comprehensive security solution that includes URL filtering and cloud-based protection; and
    - protect endpoints on and off the network.
  - establish data protection policies and educate employees:
    - make employees aware of spam and how they can help prevent it; and
    - ensure that employees never provide personal or confidential information in response to unsolicited email or IM requests.

Source Documents:

http://trendmicro.mediaroom.com/file.php/157/Trend+Micro+2010+Corporate+End+User+Study+-+PR1.ppt Press Kit available in Power Point

http://www.prnewswire.com/news-releases/employees-put-personal-online-security-and-interests-above-their-companys-93287734.html News Release

Privacy Support That Works !™

For full access to this study and all sources, contact Nymity.