I had an interesting discussion with a couple of colleagues on the value of consumer security research to the business community. They argued that a business is not really interested in what home users do and, moreover, the security risks are minimal in a household when compared to the risk businesses have to manage.
Granted, the risks are greater in a business environment but there are two key elements linking the home and the office – people and technology. What we often forget is that user behaviour is strongly influenced by activities outside of the office and not within.
More to the point, how people use technology at the office is a reflection of how they use it at home – and this can have a negative effect on security in a business.
To explore the behavior and attitude towards security and technology in US households, GFI interviewed 500 parents and their teenage children. You can read the full report here, however, I would like to take a few results to highlight how a user’s behavior at home can impact security in a business.
The survey shows that nine out of 10 parents said they had antivirus software installed on their computers – nothing surprising there – but what is worrying is that only 28% of these said they update their virus definitions daily. Twenty-four percent, yes, one in four, were not even sure if their AV definitions were being updated at all.
These results strongly indicate that most parents are confident that so long as antivirus is installed on their computer they have nothing to worry about. Such is the false sense of security among parents and teens that 76% and 77% respectively said they are ‘very’ or ‘somewhat’ confident that they won’t be infected by a virus.
It does get worse. Nearly two-thirds of parents (65%) said a virus had infected their home computers, with 55% of them saying this had happened more than once – describing these attacks as ‘somewhat’ or ‘very’ serious (62%). Forty-seven per cent of teens said their computer had been infected by a virus at home.
Root of many security issues
This lax approach to security, fuelled by a lack of education, over-confidence and the false belief that an AV product is enough to protect their machine, is the root, I believe, of many of the user-related security issues that business face on a daily basis.
This brings me to one statistic that defines the link between home user behaviour and security at the office. Ninety percent of parents use their work computers at home for personal business, while of those parents, 37% say they let their teens use them as well.
That computer is now a security risk. Here we have a computer, probably a laptop, in the hands of a teenager who can’t wait to go online and start browsing, chatting on Facebook and downloading music, videos, films and so on. With 53% of teens admitting that they visited porn sites, for example, the risk of a malware infection on the work computer greatly increases. Although most work PCs have AV installed, today’s teenagers are clever enough to shut it down, especially if they want to download some software. They also know how to hide their tracks well. According to the survey, 42% of teens have deleted the browsing history on the computer to hide what they have been doing online from their parents. Thus, any risky online behaviour on their parents’ computer may not be evident and any ‘damage’ caused may not be discovered until it is too late.
Beware of those devices
Although most companies say they have strong security measures aimed at preventing malware from entering the network when portable devices are connected to it, 42% of parents said they are not required to take any security measures before connecting their computer (or any other device) to the network.
This is a perfect recipe for a serious security incident and it also shows how vigilant businesses need to be. If their employees show little or no concern for security at home, how can they be expected to follow basic security best practice at the office? Unless that business has layer upon layer of protection (web filtering, AV, log management, etc), employees become as great a risk as a malicious hacker looking for weaknesses in the network.
The more we understand how technology is used at home, the more we can understand how users will behave in other environments, especially at work. With this insight businesses can take preventive action before something happens and create more effective policies.
Ultimately, it all boils down to one word: Education.