Office workers give away passwords for a cheap pen

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/30324.html

By John Leyden
Posted: 17/04/2003

Workers are prepared to give away their passwords for a cheap pen, 
according to a somewhat unscientific - but still illuminating - survey 
published today. 

The second annual survey into office scruples, conducted by the people 
organising this month's InfoSecurity Europe 2003 conference, found 
that office workers have learnt very little about IT security in the 
past year. 

If anything, people are even more lax about security than they were a 
year ago, the survey found. 

Nine in ten (90 per cent) of office workers at London's Waterloo 
Station gave away their computer password for a cheap pen, compared 
with 65 per cent last year. 

Men were slightly more likely to reveal their password with 95 per 
cent of blokes, compared to 85 per cent of women quizzed, prepared to 
hand over their password on request. 

The survey also found the majority of workers (80 per cent) would take 
confidential information with them when they change jobs and would not 
keep salary details confidential if they came across them. 

If workers came across a file containing everyone's salary details, 75 
per cent of workers thought they would be unable to resist looking at 
it, again up from 61 per cent in 2002. A further 38 per cent said they 
would also pass the information around the office. 


Naughty. 

The survey was undertaken by the organisers of Infosecurity Europe 
2003 in a quest to find out how security conscious workers are with 
company information stored on computers. 

Workers were asked a series of questions which included: What is your 
password? Three in four (75 per cent) of people immediately gave their 
password. 

If they initially refused they were asked which category their 
password fell into and then asked a further question to find out the 
password. 

A further 15 percent were then prepared to give over their passwords, 
after the most rudimentary of social engineering tricks were applied. 

One interviewee said, "I am the CEO, I will not give you my password 
it could compromise my company's information". 

A good start, but then the company boss blew it. He later said that 
his password was his daughter's name. 

What is your daughters name the interviewer cheekily asked. 

He replied without thinking: "Tasmin". 


D'oh. 

Of the 152 office workers surveyed many explained the origin of their 
passwords. 

The most common password was "password" (12 per cent) and the most 
popular category was their own name (16 per cent) followed by their 
football team (11 per cent) and date of birth (8 per cent). 

Two thirds of workers have given their password to a colleague (the 
same as last year) and three quarters knew their co-workers passwords. 

In addition to using their password to gain access to their company 
information two thirds of workers use the same password for 
everything, including their personal banking, Web site access, etc. 

This makes them more vulnerable to financial fraud, personal data loss 
or even identity theft, the InfoSecurity team point out. 

Meanwhile two thirds of workers admitted they had emailed colleagues 
illicit, unsavoury pictures or "dirty jokes", up slightly from 62 per 
cent in 2002. Men were twice as likely to indulge in this activity 
with 91 per cent of men sending unsavoury emails compared to only 40 
per cent of women. 

InfoSecurity's organisers say this behaviour could expose their 
employer to expensive litigation for sexual discrimination, low morale 
and even be viewed as allowing bullying. 

Tamar Beck, Director of InfoSecurity Europe 2003, said: "Employees are 
sometimes just naïve, poorly trained or are not made aware of the 
security risk. Employers therefore need to create a culture of 
protecting their information and reputation with policies on 
information security backed up with training to support the security 
technology". 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.