Survey Finds That Security Policies and Rules Are Ignored, Even When From the CEO

By Peter Bernstein March 27, 2013

The drumbeat of observations about what to do about the troubled and troubling state of cyber risk management in enterprise IT shops is getting louder, seemingly in lock-step with the headlines highlighting how the bad guys are continually upping the stakes along with the frequency of their attacks. And, at the recent RSA security event, I was struck by the number of speakers who highlighted the fact that at the end of the day, security comes down to having educated users who follow best practices as possibly the best way to mitigate the risk of most threats. It may be common sense but protection, particularly against identity related problems, starts with the user.

Unfortunately, IT has a real challenge in changing the behavior front when it comes to identity management. As identity management company Lieberman Software found out with a survey of IT security professionals at RSA, the state of unauthorized privileged access and the likelihood of their own organizations withstanding data breaches have their hands full. In fact, as referenced below, even if the CEO mandates certain practices the pros think even the boss with have his/her wishes ignored. 

A Daunting Challenge of Chief Security Officers (CSOs)

The survey queried nearly 250 IT security professionals attending RSA. Respondents were from all major vertical market segments and most are charged with purchasing authority for IT security technology at their organizations. 47.6 percent of respondents work in organizations with at least 1,000 employees.

Below are the highlights of the survey which should be viewed as a call for action:

  • 81.4 percent of IT security staff think that regular enterprise staff tend to ignore the rules that IT departments put in place 
  • 52.2 percent of the same respondents believe that said staff would not listen more even if IT directives came from executive management, rather than IT
  • 32.3 percent of IT security professionals work in organizations that do not have a policy to change default passwords when deploying new hardware, applications and network appliances to the network.
  • 73.3 percent would not bet $100 of their own money that their company won't suffer a data breach in the next six months
  • 75.8 percent think that employees in their organization have access to information that they don't necessarily need to perform their jobs
  •  64.7 percent  think that they have more access to sensitive information than colleagues in other departments   
  • 38.3 percent have witnessed a colleague access company information that he or she should not have access to
  • 54.7 percent  did not report their colleagues who accessed that information 

Lieberman’s take on these result is that it suggests that even though most IT professionals are aware of the level of access they have to systems which may contain sensitive data, many organizations either cannot or will not control and audit this access. The company notes, “The high number of staff who are thought to ignore IT directives could stem from willful negligence on the part of end-users or the lack of proper internal security training. When these findings are taken together, respondents' lack of confidence in the ability of their organizations to withstand a data breach is hardly surprising.”

What the survey also underscores is the complexity of the security challenges now facing IT. It is a heavy load and a big responsibility.

They are now responsible for securing not just the perimeter from attacks and trying to keep employees from malicious activities or causing problems based on the unintended consequences of not following best practices, but they also must look at managing the integrated risks associated with the advent of BYOD, the cloud and need to secure people, their devices and the applications they run on and the business processes and networks they impact. It all calls for a holistic approach which starts with the individual and making sure they not only know but obey the rules. 

All of this will be the subject of a forthcoming TMC event, SecureIT: Protecting Your Enterprise in a BYOD World, to be held July 23, 2013 at the Kimmel Center of New York University. Look for details on the program in your inbox and on TechZone360.com in the next several days. 




Edited by Jamie Epstein
SHARE THIS ARTICLE
Related Articles

Apple, Cisco Join Forces - What It Could Mean for Them, and the Rest of Us

By: Paula Bernier    9/2/2015

Tech powerhouses Apple and Cisco systems this week announced they have joined forces to give business users of iOS devices the best possible experienc…

Read More

LTE Broadcast, IndyCar Racing, and Blending the Best of TV and Stadium Viewing

By: Rob Enderle    9/1/2015

This last weekend I was at the IndyCar race in Sonoma to see Verizon and Qualcomm showcase LTE Broadcast-I also wanted to see the race. I've watched N…

Read More

Windows 95 to Windows 10: How Far We Have Come in 20 Years

By: Rob Enderle    9/1/2015

Last week was the anniversary of Windows 95, which was actually a life-changing launch for me. I'd just started out as an analyst, and Windows 95 was …

Read More

Microsoft Research Project Allows for Inexpensive 3D Scanning from a Smartphone

By: Christopher Mohr    8/27/2015

It is now possible to perform 3D scanning from a smartphone, without additional hardware or an Internet connection, thanks to a new Microsoft Research…

Read More

Amazon's Scaled Back Consumer Device Efforts, Dash Button, and More

By: Paula Bernier    8/27/2015

Word is that Amazon is scaling way back on its consumer devices efforts, having let go of dozens of Lab126 engineers who worked on its Fire phone, acc…

Read More