IT departments are typically much more concerned about the security threats posed by user negligence than they are about being attacked by outsiders, according to a recent survey conducted by Irish magazine ComputerScope and IT distributor Data Solutions.
Among the 278 IT pros surveyed, 80% said they are concerned about the impact of careless employees on IT security. In comparison, just 15% are concerned about attacks from external hackers.
Thanks to the creation of BYOD programs and the flood of personal devices onto corporate networks, users have more opportunities than ever to put data in the hands of cyber criminals.
However, one of the biggest threats users pose still comes in the form of careless web browsing.
Among the respondents to ComputerScope’s survey, 22% are aware of a data breach caused by a user accessing or downloading material from an external site. And the sites blamed in those incidents aren’t necessarily of the variety that users or even IT pros would expect. The top sites that the IT pros surveyed said led to a security incident:
- Online retail stores (blamed for an incident by 43% of IT pros)
- Hotmail (41%)
- Facebook (40%)
- Gmail (36%)
- Dropbox (34%)
- LinkedIn (34%)
- YouTube (34%)
Many computer users assume the most dangerous sites are those that offer adult content, illegal downloads or other suspicious activities, but studies have shown seemingly benign sites pose a much bigger threat. Users should be trained on how to browse the web safely, as well as how to watch for suspicious links and avoid phishing scams.
IT security mistakes companies make
Despite the concern about users’ behavior leading to IT security breaches, many of the organizations surveyed are failing to take some steps that could help control that behavior and mitigate those risks.
The top IT security mistakes made by the companies surveyed:
- 62% allow access to social networking sites — and 23% of them allow access without any restrictions or acceptable use policies
- 33% don’t carry out any IT security awareness training for users, and
- Only 11% require users to report the loss or theft of a smartphone, tablet or other mobile device that had access to the company’s network or data.