“It’s interesting to see the cultural differences in terms of what’s allowed and what’s not allowed in different countries,” said Marie Hattar, vice president of network and security solutions at Cisco. “If you look towards doing a data leakage prevention strategy, you’ve got to consider physical security as much as you do network security.”
Hattar told CNET News that the survey came about because of dramatic changes in the workplace within the last few years. Two of the changes–a younger workforce and the rise of smart mobile phones–are “completely blurring between what’s personal and what’s your work life.” She also cited the recent rise of the knowledge worker in countries such as India, China, and Brazil. “So it becomes key that as you implement your network security strategy, your physical security strategy, that you are also putting into place some of these educational policies to drive your employees to good behavior,” she said.
In Brazil, the study found, 39 percent of employees surveyed talk about sensitive company information with their friends and family and 8 percent of the time they talk to strangers. By comparison, the numbers for the U.S. were 16 percent friends and family and only 2 percent strangers. “If you look at China,” Hattar said, “it’s one of the more lower countries in terms of who they talk about company business outside the company.” Cisco’s data showed that while 17 percent of Chinese workers talk about work to friends and family members, none said they talked to strangers.
Another data point was how permissive employees are of non-employees in the office. “In Germany, one out of five actually admit to letting partners or vendors or what have you roam their office buildings unsupervised.” Hattar admitted this alone would not lead to data leakage, but warned that employees should “put their computers on standby, (prevent) their passwords from being posted on the computer or written down somewhere, and have a physical security mechanism that will alert you so that you know whether someone is looking or doing something that they shouldn’t be doing.”
The Cisco report further recommends that companies know where the data is stored and how it is accessed and used. Companies should educate employees on how data protection equates to money earned and money lost, the bottom line. Finally, international companies should determine global policy objectives and create localized education programs tailored to a country’s culture and threat landscape.
Hattar observers that “as you evolve your business into different cultures, even if you have locked down your physical security and your network security you can’t escape from having to put into place an education program to raise the awareness that you have to educate your employees about the possibility of verbal disclosure.”
The Cisco study was conducted by InsightExpress, a U.S.-based market research firm, and involved more than 2,000 employees and information technology professionals. Specifically, the study surveyed 1,000 employees and 1,000 IT professionals from various industries and company sizes in 10 countries.
