Office Workers Give Away Passwords for a Chocolate Bar
The third annual survey into office scruples conducted by Infosecurity Europe 2004 found that office workers are still not information security savvy. A survey of office workers at Liverpool Street Station found that 71% were willing to part with their password for a chocolate bar. The survey found the majority of workers would take confidential information with them when they change jobs and would not keep salary details confidential if they came across them. The survey was undertaken by the organisers of Infosecurity Europe 2004 (Olympia 27-29 April) in a quest to find out how security conscious workers are with company information stored on computers.
Workers were asked a series of questions which included what is your password, to which 37% immediately gave their password, if they initially refused the researchers used social engineering tactics, “I bet it’s to do with your pet or child’s name”, at this a further 34%revealed their passwords.
Of the 172 office workers surveyed many explained the origin of their passwords, such as “my team – Spurs”, “my name – Charlie”, “my car – minicooper”, “my cat’s name – Tinks”. The most common password categories were family names such as partners or children (15%), followed by football teams (11%), and pets (8%), the most common password was “admin”. One interviewee said, “I work in a financial call centre, our password changes daily, but I do not have a problem remembering it as it is written on the board so that every one can see it.” What everyone, our stunned researcher asked? “Yes, although I think they rub it off before the cleaners arrive”, replied the worker.
When asked if they would give their password to someone calling from the IT department, they were slightly more wary with only 53% saying that they would not give their password as it could cause a security breach. That still left just under half of workers vulnerable to social engineering techniques, which are often used by hackers to gain access to systems, they often pretend to be calling from the IT department and requesting a user’s log on and password to “resolve a network problem”. Password security was also not good between colleagues as 4 out of 10 knew their colleagues’ passwords and 55% said that they would give their password to their boss. One man said that we use 10 different systems a day, so we all use the same passwords for each one so that we can remind each other if we forget.
In addition to using their password to gain access to their company information two thirds of workers use the same password for personal access such as online banking, website access, etc. Using just one password could make them more vulnerable to financial fraud or even identity theft.
Workers used an average of 4 passwords, however, one person who was a system administrator regularly used 40 passwords, which he stored using a programme that he had written himself to keep them secure. Most passwords were changed on a monthly basis 51%, 3% change their passwords weekly, 2% change them daily, 10% change them each quarter, 13% rarely change their passwords and 20% never change their passwords. Many of the commuters who regularly had to change their passwords kept them on pieces of paper in their drawer or stored on word documents. One senior executive for a bank said that he had to change his password every month and he used to have a problem remembering what it was, but now he has a “foolproof” solution. When our research asked what it was he replied, I use my wife’s name and add the current month, so now I never forget what it is!
Eighty percent of workers were fed up with using passwords and 92% said that they would rather be able to log on using biometric technology such as fingerprint and iris scanners, or be able to log on using smartcards or tokens. When asked whether they would feel happier using internet banking if their bank provided biometric and smart card technology to verify their identity, 86% of workers said that this would make them feel safer, and most of them said that it would also encourage them to use online banking as they felt it would make their information more secure.
Seventy one percent of workers would download contacts or competitive information to take with them to their next job, which shows they think it valuable enough to risk stealing it (80% in 2003 and 54% in 2002). Men were more likely to take information with them to their next job (76%), whereas 64% of women would take the information with them. By stealing confidential information such as contacts, workers are not only taking a vital asset to a competitor they could also expose their employer to prosecution under the Data Protection Act.
If workers came across a file containing everyone’s salary details, 71% of workers didn’t think they would be able to resist looking at it (75% in 2003 and 61% in 2002). A further 23% said they would also pass the information around the office. Many of the workers who said that they would keep the information confidential said that they worked in personnel and finance departments, so they had access to the information anyway.
Claire Sellick Event Director for Infosecurity Europe 2004 – Europe’s leading information security event said “This survey proves people are still not as aware as they could be about information security, this often comes down to poor training and procedures. Employers should make sure that their employees are aware of information security policies and that they are kept up-to-date. Clearly the workers are fed up with having to remember multiple passwords, and would be happy to replace them with alternative identification technology such as biometrics or smartcards.”