Companies that are globalizing their operations or outsourcing work to offshore locations shouldn't overlook behavioral and cultural differences when developing their security risk-management plans, according to a survey of IT managers and end users in 10 countries that was released Tuesday by Cisco Systems.
The survey results show that employee behavior can vary by country and culture and have a direct bearing on the threats posed to corporate data. "As you globalize and move into new regions that you haven't worked in before, you really need to understand the cultural differences" in order to implement an effective data protection strategy, said Marie Hattar, Cisco's vice president of network and security solutions.
The survey was conducted for Cisco by InsightExpress, a market research firm. A total of more than 2,000 people -- about half of them IT decision makers -- were polled in the US, the UK, France, Germany, Italy, Japan, China, India, Australia and Brazil, Cisco said.
Many of the countries haven't experienced the same level of worm mass mailings, denial-of-service attacks other IT security threats that companies in the US have been dealing with for years, Hattar said. As a result, she added, there sometimes appears to be more tolerance in other countries for end-user behavior that would be considered risky in the US.
For example, about 64 percent of the IT decision makers surveyed in China and nearly half of the ones in Brazil said they thought that employees at their companies allowed outsiders to use corporate laptops and mobile devices without any supervision.
Meanwhile, 39 percent of the end users polled in Brazil and 20 percent in India admitted to sharing sensitive information about their jobs with family members and friends; another 8 percent and 7 percent, respectively, said they had shared such data with absolute strangers. In contrast, the number of respondents in the US who acknowledged that they had done the same things was 16 percent and 2 percent. In a majority of the cases, the survey respondents said they discussed sensitive information with others because they wanted to bounce an idea off of someone, or just vent.
Compared with workers in other countries, a significantly larger proportion of end users in China (42 percent), Brazil (26 percent) and India (20 percent) altered the security settings on their company-issued laptops. Just two of those surveyed in the US said they had done that. Similarly, more than 60 percent of the workers surveyed in Brazil and China said they had transferred company documents to and from their home computers while working remotely.
Sometimes, Hattar said, the security risks that companies face stem from cultural attitudes that can differ from country to country. In some countries, for example, there is a greater tolerance for employees tailgating behind other workers when entering secured facilities, or for verbally sharing sensitive information with others, she said.
IT and security managers have to be aware of such differences when they set security plans, and be prepared to incorporate whatever technical, physical or procedural controls are needed to help mitigate the risks, according to Hattar.
"You need to better understand the dynamics of the country you are doing business with, and ensure that your policy is localized," she said.