Over half the IT managers surveyed in a new study said that managing employee behaviour was the most frustrating part of their job. This was followed by budget constraints (48%), not having enough time for security (25%), IT security being a low priority (23%) and ease of deployment (18%).

The 2007 State of Security Report released today was prepared by research group StollzNow for Websense Australia. StollzNow surveyed 158 employees and 159 IT managers at organisations nationwide with 50 staff or more.

 According to the survey, employees estimate they spend 45.1 minutes per day on personal Internet use and a further 85.3 minutes a day on business Internet use. Their IT managers think this is optimistic, estimating employees at their organisations spend 89.5 minutes – or 1.5 hours – every working day on personal Internet use.

“People are spending an enormous amount of personal time online at work, much of which raises security concerns for both the user and the IT department,” said Joel Camissar, ANZ Country Manager, Websense.

Common activities

Employees’ favourite activities while on the web are visiting banking and finance sites (46%), reading news and sport (39%), accessing personal email such as Hotmail and Gmail (29%) and visiting jobs sites (18%).

The less common activities include some of the most time consuming, dangerous or bandwidth heavy: instant messaging friends (13%), playing online video clips such as YouTube, downloading from free software sites (9%), visiting games sites (7%), downloading music (4%) and peer-to-peer file sharing (3%). Each presents an easy way for confidential information to leave the organisation or for problems to be introduced.

Beyond the web, 53% of employees surveyed said they had sent work documents to personal email accounts, 20% had opened suspicious emails, 17% clicked on pop-up ads, 8% admitted viewing adult material and 3% had engaged in online gambling. One per cent had knowingly distributed confidential company documents.

Employees seem to understand that such digital promiscuity could cost their jobs. Leaking sensitive information was seen to be a dismissible offence by 74% of employees, followed by viewing adult content (73%) and infecting the company with malicious spyware or a virus (63%).

When it came to losing their jobs, IT managers were most concerned about staff  staff leaking confidential information (56% saw this as the main reason they could be dismissed). This was followed by introducing viruses (52%), accessing inappropriate material (47%) and instant messaging abuse (34%).

Protection measures

The organisations surveyed typically had a range of defences in place. Even so, only 15% of IT managers felt they were 100% protected. Over half (55%) said they were ‘well, but not 100% protected’. This protection was almost exclusively external and focused on phishing (58% of sites), spyware (56%) and instant messaging (51%).

Different URL filtering solutions were employed by 87% of the organisations represented by the surveyed IT managers. The filtering is designed to protect against web threats, improve productivity, enforce Internet policies and manage bandwidth. Notably, few IT managers cite leakage of commercially sensitive information as a key reason for installing web filtering software despite its prevalence as an issue in the survey.

Responses to internal threats were not as robust: 41% of companies used software to block peer-to-peer use; the proportion using tools to identify internal hackers was also 41%. Only 15% of organisations blocked iPods or USB devices such as memory keys.

Just over half (53%) of all the IT-manager organisations surveyed automated their Internet usage policies through filtering tools and 36% made staff sign paper-based Internet usage policies.

Despite these reservations, employees generally perceived their work computers to be secure. Of the 43% of respondents who had used their credit card on a work computer, only 14% had checked whether it was safe to do so. Potential risks include the ability of other staff to access their details using keystroke logging software.

When it comes to having details stolen or compromised while at work, the three main areas of concern for employees are banking details (30%), credit card numbers (20%) and company data (17%).

“It makes a lot of sense for organisations to ensure their external defences are secure, but we also urge managers to consider threats from within and particularly the way sensitive information can easily slip outside the walls,” said Camissar.