From: InfoSec News (isnc4i.org)
Date: Mon Apr 21 2003 - 02:50:41 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.theregister.co.uk/content/55/30324.html

By John Leyden
Posted: 17/04/2003

Workers are prepared to give away their passwords for a cheap pen,
according to a somewhat unscientific - but still illuminating - survey
published today.

The second annual survey into office scruples, conducted by the people
organising this month's InfoSecurity Europe 2003 conference, found
that office workers have learnt very little about IT security in the
past year.

If anything, people are even more lax about security than they were a
year ago, the survey found.

Nine in ten (90 per cent) of office workers at London's Waterloo
Station gave away their computer password for a cheap pen, compared
with 65 per cent last year.

Men were slightly more likely to reveal their password with 95 per
cent of blokes, compared to 85 per cent of women quizzed, prepared to
hand over their password on request.

The survey also found the majority of workers (80 per cent) would take
confidential information with them when they change jobs and would not
keep salary details confidential if they came across them.

If workers came across a file containing everyone's salary details, 75
per cent of workers thought they would be unable to resist looking at
it, again up from 61 per cent in 2002. A further 38 per cent said they
would also pass the information around the office.

Naughty.

The survey was undertaken by the organisers of Infosecurity Europe
2003 in a quest to find out how security conscious workers are with
company information stored on computers.

Workers were asked a series of questions which included: What is your
password? Three in four (75 per cent) of people immediately gave their
password.

If they initially refused they were asked which category their
password fell into and then asked a further question to find out the
password.

A further 15 percent were then prepared to give over their passwords,
after the most rudimentary of social engineering tricks were applied.

One interviewee said, "I am the CEO, I will not give you my password
it could compromise my company's information".

A good start, but then the company boss blew it. He later said that
his password was his daughter's name.

What is your daughters name the interviewer cheekily asked.

He replied without thinking: "Tasmin".

D'oh.

Of the 152 office workers surveyed many explained the origin of their
passwords.

The most common password was "password" (12 per cent) and the most
popular category was their own name (16 per cent) followed by their
football team (11 per cent) and date of birth (8 per cent).

Two thirds of workers have given their password to a colleague (the
same as last year) and three quarters knew their co-workers passwords.

In addition to using their password to gain access to their company
information two thirds of workers use the same password for
everything, including their personal banking, Web site access, etc.

This makes them more vulnerable to financial fraud, personal data loss
or even identity theft, the InfoSecurity team point out.

Meanwhile two thirds of workers admitted they had emailed colleagues
illicit, unsavoury pictures or "dirty jokes", up slightly from 62 per
cent in 2002. Men were twice as likely to indulge in this activity
with 91 per cent of men sending unsavoury emails compared to only 40
per cent of women.

InfoSecurity's organisers say this behaviour could expose their
employer to expensive litigation for sexual discrimination, low morale
and even be viewed as allowing bullying.

Tamar Beck, Director of InfoSecurity Europe 2003, said: "Employees are
sometimes just naïve, poorly trained or are not made aware of the
security risk. Employers therefore need to create a culture of
protecting their information and reputation with policies on
information security backed up with training to support the security
technology".

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]