Many data security breaches are blamed on user mistakes. But IT’s security strategy is often to blame for those errors.
That’s the message in a recent study of federal agencies’ security policies and user behavior.
Federal agencies are subject to a wide variety of security threats. The feds make a popular target for a few reasons. Government agencies are common targets of so-called “hacktivist” groups such as Anonymous and others looking to leak sensitive information to the public, as well as foreign attackers committing cyber espionage.
In addition, those agencies hold a lot of sensitive information that can be used to commit identity theft and other types of fraud.
While the threat level for the feds may be more pronounced than for smaller private businesses, the IT security challenges those agencies face are similar to the problems all IT departments are trying to overcome.
Specifically, federal agencies struggle with preventing user mistakes that lead to security breaches, according to a recent report published by MeriTalk, a public-private partnership created to improve government IT.
According to the report, government agencies invest a lot of money and time installing firewalls, encryption tools and other security controls, and yet haven’t been able to put much of a dent in the number of security attacks they face.
A big part of the problem: User mistakes thwart IT’s attempts to block those threats.
Users cause a lot of breaches
The 100 federal IT professionals surveyed said that half of all security breaches their agencies experience can be blamed on users’ failure to comply with IT policies.
Private businesses face the same problem, as many reports have shown. A recent Forrester report found that users were to blame for 36% of all the breaches that have occurred in 2013 so far — making them the No. 1 cause of IT security incidents during that time. That includes both intentional malicious actions, as well accidental negligence.
IT often tries to overcome the challenge with more security awareness training. However, while that does have a role to play in an organization’s security strategy, it may not address the real problems that lead to noncompliance with security policies.
According to MeriTalk’s report, the issue isn’t that users don’t know security is important or that they don’t know how to follow the rules. It’s that doing so makes it hard for them to get their jobs done.
Security is a burden
Regardless of what IT professionals might think, users do care about keeping data secure. MeriTalk also surveyed 100 non-IT employees in federal agencies, and among those users, 95% agreed that deploying cyber security measures is an absolute necessity for their organization. In addition, 98% agreed that cyber security is everyone’s responsibility. Equal numbers of IT pros said the same thing.
But, as any IT manager is aware, the two sides often disagree on how those measures should be implemented. Nearly all (88%) of the users surveyed said they face obstacles thanks to their organization’s security controls. For instance:
- 69% said that some of their work takes longer than it should due to IT security measures
- 66% agreed that the security protocols in place in their agencies are burdensome and time consuming, and
- nearly one in five users said there’s been a situation in which they couldn’t get their work done on time because of a security measure.
Users had the biggest problems thanks to the agency’s rules on passwords, restricted access to websites and file downloads, and slowdowns caused by security software.
As a result of those frustrations, 31% of users say they try to work around a security control at least once per week.
Whose fault is it?
IT’s role is shifting, thanks to trends like cloud computing, BYOD and the consumerization of IT. Whether technology pros like it or not, they have to begin offering users more options to do things their way — because those options are blocked, users will find a way to use them anyway.
While that’s led more companies to allow the use of personal mobile devices, it hasn’t had much impact on how IT implements security controls. In MeriTalk’s survey, just 40% of IT pros say they focus on the user experience when they develop a security strategy.
Of course, IT can’t give in to every user request and still expect data to stay secure. But if IT pros want people to follow security policies, they’ll have to start getting input from users when those rules developed.
It’s likely that communicating more will lead to solutions that can benefit both sides. For example, 56% of users said they would like to consolidate their accounts to a single sign-on. Close to half (41%) of IT pros said they could implement that without hurting security. However, many likely haven’t done so because they aren’t aware of what users want when it comes to security.