Global Study Reveals Disconcerting Perceptions of IT’s Role in Corporate Security

Despite Risky Online Behavior, More Remote Workers Feel Managers - Not IT - Have the Right to Control Out-of- Office Activity; Nearly 1 in 5 Says It’s No One’s Business

SAN JOSE, Calif. - November 6, 2006 - Cisco® today released the results from a second international study of remote workers and their online behavior, revealing disconcerting perceptions of IT’s role that may jeopardize corporate and personal security - a role often perceived as reactive and, in some cases, less authoritative than that of non-IT managers.

The new study includes responses from more than 1,000 remote workers and 1,000 IT decision makers in 10 countries: the United States, United Kingdom, France, Germany, Italy, Japan, China, India, Australia and Brazil. Conducted this summer by an independent third-party market research firm, the study builds on previous research issued earlier in October around the contradictions in remote workers’ security awareness and actual behavior. With their risky behavior as a backdrop, the new study surveyed the same remote workers on their perceptions of IT’s role in protecting them. In turn, IT professionals were surveyed on what they believed their users perceived their role to be.

For the global IT community, the responses are eye-opening. In six of the 10 countries (including the United States), more remote workers felt their managers had the authority to control their behavior than IT organizations. And in the case of France, more remote workers (38 percent) said it was no one’s business than those (33 percent) who felt IT had such a right.

In addition to the United States and France, more remote workers in Australia, Brazil, China and the United Kingdom viewed their managers as having more authority than IT. India, Italy, Japan and Germany were the exceptions; however, one-third of the remote workers in Japan and Germany placed the responsibility on their managers, regardless of whether they felt IT had such a right. All remote workers surveyed were non-IT professionals, meaning that managers in sales, marketing, accounting, H.R., customer support, operations and other lines of business were perceived to rival or eclipse IT’s authority in managing users’ online behavior.

Aside from managers and IT, 13 percent of all remote workers felt no one should control their use of corporate devices. France featured the most remote workers who felt this way - 38 percent - but more than one-third of the respondents in Italy (35 percent) echoed this sentiment. Those in Japan (22 percent), the United States (14 percent) and Australia (14 percent) exceeded the global average as well.

“These results spotlight the influence that social and business cultures have on perceptions and behavior,” said Jeff Platon, Cisco’s vice president of security solutions marketing. “For example, in Germany, 71 percent agreed IT should police their behavior, but one-third also felt managers shared that responsibility. And one of every four felt co-workers played a role too. Many German respondents felt the entire corporate population is accountable for information security.”

Outside of Germany, Platon said chief information officers face a different challenge - reaffirming IT’s role to end users. For the majority of IT professionals surveyed, the perception of their role by remote workers wasn’t a surprise. More than half (53 percent) believed their users did not think IT had the right to know how corporate devices were utilized. Only India and Brazil had a majority of IT respondents who did.

According to John Stewart, Cisco’s chief security officer, this perception is not so much a challenge as it is an opportunity for IT to establish itself as a trusted adviser on security.

“IT understands that employees are aware of security issues but are frequently unaware their behavior is risky,” Stewart said. “Education and awareness are key. IT and corporate security need to work with their upper management to help educate their employees about risks and responsibilities. While it’s imperative that IT looks for proactive technology to protect their organizations from risks - risks that always exist when many people with diverse levels of understanding connect to the network - marrying products with proactive communication and education is what ultimately produces a security-savvy corporate culture.”

According to Platon, the results from the first study released earlier this month (“Actions Speak Louder Than Words: Despite Claiming Security Awareness, Many Remote Workers Engage in Risky Online Behavior”, http://newsroom.cisco.com/dlls/2006/prod_100906.html) heighten the urgency around Stewart’s message.

“In the first study, two-thirds of remote workers worldwide claimed they were aware of security concerns,” Platon said. “However, many of those same workers admitted engaging in risky behavior when using corporate devices. Their awareness and behavior were contradictory.”

This behavior included hijacking the wireless networks of neighbors, opening suspicious e-mails, accessing corporate files with personal devices, and sharing work computers with non-employees. When asked why they engage in such behavior, remote workers offered numerous explanations, such as: “I don’t think this behavior creates security risks”; “My company doesn’t know or wouldn’t mind me doing so”; and “other co-workers do it.”

“The contradiction between remote workers’ awareness and behavior, the reasoning behind their actions, and their perception of IT provide enough motivation for CIOs and CSOs to re-establish their position as a trusted security adviser within their organizations,” Stewart said. “This research clearly indicates that security is everyone’s responsibility. IT has an opportunity - and obligation - to evolve its image and take a leadership role in making the connection between security risks and workers’ actions.”

Driving this change involves various efforts, Stewart added. These efforts include establishing a united front among upper management, appointing security ambassadors, instituting companywide training, conducting focused internal communications, communicating globally while ensuring regional relevance, and offering highly visible awards and recognition.

“There’s something to be said for stepping out from behind the back-office veil and communicating with people,” Stewart said. “Most IT security teams have yet to do this, and they’ve subsequently been cast in a reactive, secretive light that hampers their ability to prove to management that they can prevent productivity and data losses. By consulting and educating end users, IT will transform its image into a trusted security adviser, which is what CIOs and CSOs ultimately want and what enterprises ultimately need.”
About Cisco

Cisco (NASDAQ: CSCO), is the worldwide leader in networking for the Internet. Cisco news and information are available at http://www.cisco.com. For ongoing news, please go to http://newsroom.cisco.com.

# # #

Cisco, the Cisco logo, Cisco Systems and the Cisco logo are registered trademarks or trademarks of Cisco. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. This document is Cisco Public Information.

Contact Information

Robyn Jenkins-Blum

Cisco Systems, Inc.

Contact via E-mail