Two-thirds give password for chocolate
Jinfo Blog

22nd May 2007

By Tim Buckley Owen

Item

Corporate information managers are frequently the gatekeepers of many passwords, and many are probably looking forward to spearheading web 2.0 applications throughout their organisations as well. But if you think you have your security pretty well sewn up, perhaps now’s the time to think again. It’s not a question of firewalls, encryption or technology. Security can be put at risk by simple human behaviour. A survey of 300 commuting office workers and IT professionals for Infosecurity Europe - http://www.infosec.co.uk/page.cfm/T=m/Action=Press/PressID=640 - found that 64% could be induced to give away their passwords in exchange for a bar of chocolate and a nice smile. The approach was just a bit subtle, but didn’t really take too much effort. Researchers simply asked people if they knew what the most common password was and then what theirs was. Only 22% of IT professionals revealed their password at this point compared to 40% of the commuters. But then the researchers would ask if it was based on a child, pet, football team or whatever, and would have a guess at what it might be. This time, a further 42% of IT professionals and 22% of commuters fell for it. Perhaps we shouldn’t be too surprised at the ease with which people were prepared to do something that they would never even contemplate if they thought a bit about it. The latest Information Security Breaches Survey - http://www.pwc.com/uk/eng/ins-sol/publ/pwc_dti-fullsurveyresults_execsum06.pdf - carried out by consultant PriceWaterhouseCoopers for the Department of Trade & Industry, shows that a quarter of companies don’t carry out any background checks when recruiting staff, and one in eight does nothing to educate staff about their security responsibilities. Small wonder then that the majority of corporate fraud is committed by trusted senior managers – people to whom you probably wouldn’t hesitate to give a password if asked. According to ‘Profile of a Fraudster 2007’, a survey by KPMG Forensics - http://www.kpmg.co.uk/pubs/ACF23E1.pdf - senior management and board members represent 60% of all fraudsters. ‘This result highlights a risk that every company faces,’ the report concludes: ‘Executives are entrusted with sensitive company information and yet are also often in a position to override internal controls’. If the risk is bad now, how much greater is it going to become as companies embrace social media? A final piece of research, by content security specialist Clearswift - http://www.clearswift.com/news/item.aspx?ID=1162 - suggests that almost half of businesses have no idea whether they have lost confidential information via social media outlets, and that nearly a fifth of IT and business decision makers don’t have a policy governing appropriate internet use, including social media sites. And when management does finally get wise to the risks, there’s a danger of over-reaction. Over 40% of organisations currently either discourage or actually forbid blogging.

« Blog