- Published: 14 November 2012
- Written by NStinchcombe
ISACA Survey: UK Workers Feel Online Privacy Is Threatened, But Gap Exists Between Fears and Actions
BYOD gains rapid acceptance, with 22% drop in enterprises that prohibit it
London, UK (14 November 2012) Eight out of 10 UK consumers who use a computer, tablet PC or smartphone for work activities feel their online privacy is threatened, but many persist with actions and attitudes that put their privacy and security at risk, according to a survey of 1,000 UK office workers by global non-profit IT association ISACA. ISACA also conducted a separate survey of more than 4,500 of its members from 83 countries, including 980 in Europe.
The majority of respondents say that the risk of Bring Your Own Device (BYOD) outweighs the benefits, yet year over year, but there has been a 22-point percentage drop in enterprises that prohibit BYOD. With the increasingly blurry line between work and personal devices, behaviours that put privacy and security at risk have the potential to impact enterprises.
Sharing information online is riskier than ever, say one-quarter of the respondents. And only 12% say they do not think their online privacy is threatened. Yet despite these concerns, UK consumers reported engaging in the following risky behaviour:
• 10% have clicked on links in email from people they did not know
• 16% have used the same passwords for work and shopping sites
• 20% have clicked on links from social media sites
• 23% have used their work email address for online shopping
• 8% have lost their work or personal device they used for work
Employees’ online activities pose a special challenge to employers during the holiday season, since 69% of survey participants plan to shop online during the holiday season of November and December. Of those, 27% will spend five hours or more shopping on a work device and nearly 10% will spend 10 hours or more. Additionally, 44% will spend five hours or more and 16% will spend 10 hours or more shopping on personal mobile devices also used for work—a practice called “bring your own device” (BYOD).
According to the UK consumer edition of ISACA’s 2012 IT Risk/Reward Barometer, employees who have a work-supplied or BYOD device reported:
• To save 50 percent off a £100 item, 80% would be willing to reveal personal information; 59% would give up their email address, 20% would give up the name of the street they grew up on, 17% would provide their mother’s maiden name, and 7% would even be willing to share their current social media password.
• 22% are more concerned with protecting the security of their personal devices than their work-supplied devices.
• 12% would be just as inclined to use their personal device for work purposes even if they knew their online activity could be tracked by their employer.
"Using the same password for different sites will make it easier for criminals to hack into your accounts and compromise the data held by the organisation you work for. The more personal details you share about yourself online, the more likely you are to be a victim of social engineering attacks, especially with all of the data aggregators that combine seemingly innocent pieces of data into one comprehensive picture," said Ramsés Gallego, CISM, CGEIT, CISSP, SCPM, CCSK, security strategist and evangelist at Quest Software -now part of Dell - and ISACA international vice president.
While a quarter (25%) of respondents feel that sharing information online has become riskier over the past year, 87% reported engaging in a range of potentially risky actions:
• 80% do not verify the security settings of online shopping sites.
• 22% assume their IT department is ensuring that their work-supplied device has the most recent security patches.
• 13% are not concerned that their personal online activities at work may affect their organization's IT network.
• 11% have clicked on a link in an email before confirming its authenticity.
• 9% used a cloud service like Dropbox or Google Docs for work documents without their company’s knowledge.
“The 2012 IT Risk/Reward Barometer shows that despite considerable concern about their online privacy and security, consumers are simply not willing to give up behaviour that is high-risk and could compromise their own and their employer’s cash, data and reputation,” said Marc Vael, CISA, CISM, CGEIT, CRISC, an international vice president of ISACA. “The survey shows a sizable gap between what people believe they should do and how they actually act. Given that 23% of employees in the UK now use their own personal devices for work purposes—devices over which the enterprise has limited control—companies need to advocate an embrace-and-educate approach. Embrace the technology, but provide ongoing training about the personal and enterprise risks and how to avoid them.”
£10,000 in lost productivity from employee holiday shopping online, predicts IT
ISACA also conducted a separate survey of more than 4,500 of its members from 83 countries, including 159 in the UK. The enterprise will lose £10K or more in lost productivity as a result of an employee shopping online during work hours in November and December, say 29% percent of those surveyed. Over a third believe that employee will spend on average more than a full work day shopping online during work hours using a personal computer or smartphone, and 27% estimate they will spend more than a full day shopping from a work-supplied device.
Several of the “unsafe” actions consumers admitted taking were among the most worrisome to ISACA members—for example, storing work passwords on personal devices (77% say it poses a high risk to the enterprise) and using online file-sharing services like Google Docs or Dropbox for work documents (75%) were top two actions rated as high risk. In fact two-thirds of organisations prohibit using a file-sharing service for company documents and 40% prohibit using a personal mobile device for work purposes. The majority (59%) of respondents say that the risk of BYOD outweighs the benefits, yet year over year there has been a 22-point percentage drop in enterprises who prohibit BYOD (down from 66% to 44%).
About the 2012 IT Risk/Reward Barometer
The annual IT Risk/Reward Barometer helps gauge attitudes and organizational behaviours related to the risk and reward associated with the blurring boundaries between personal and work devices (BYOD), cloud computing, and increased enterprise risk related to online employee behaviour at peak seasonal times.
The study is based on September 2012 online polling of 4,512 ISACA members from 83 countries, including 159 members in the UK. A separate online survey was fielded among 1,000 UK consumers by OnePoll from 23-25 October 2012. To see the full results, visit www.isaca.org/risk-reward-barometer.
About ISACA
With more than 100,000 constituents in 180 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.
ISACA continually updates and expands the practical guidance and product family based on the COBIT® framework. COBIT helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
Contact:
Kristen Kessinger, +1.847.660.5512, This email address is being protected from spambots. You need JavaScript enabled to view it.
Hannah Rafferty, Eskenzi PR, +44 20 71 832 836, This email address is being protected from spambots. You need JavaScript enabled to view it.