Slashdot Mirror

← Back to Stories (view on slashdot.org)

Survey: 2/3 of Public Sector Workers Wouldn't Report a Security Breach

Posted by Soulskill on from the time-to-hand-out-some-free-whistles dept.

An anonymous reader sends news of a survey of workers in the public sector conducted by Daisy Group, a British IT firm, which found that 64% of them would stay quiet about a security breach they noticed. The survey also found that 5% of workers admitted to disabling the password protection features on their work devices, and 20% said they don't update their passwords regularly. Daisy Group's Graham Harris said, "When it comes to data security, all too often organisations focus purely on IT processes and forget about the staff that will be using them. Human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force." 16% of respondents said they didn't know if data protection was an important part of their company's security practices.

10 of 150 comments (clear)

  1. comment subject here by Falos · · Score: 5, Insightful

    Do we give out points on evaluations for "fully complies with security policy every time"? No, we slam plebs with metrics and quotas, after a childhood revolving around GPAs and diploma checkboxes and life-story-in-one-page application rodeos. We've trained society to game the system and if they're giving fucks in a certain, limited fashion, it's because the world only gives fucks in a certain, limited fashion.

    Of-fucking-course they game the system. "Fear of reprisal" isn't even a core symptom.

  2. Password updating by ngc5194 · · Score: 5, Insightful

    Okay, the bit about how many folks wouldn't report a security breach is disturbing, but what's the fixation with updating passwords? I've been working in computer security for decades, and I almost never update passwords unless I'm required to or there is an incident. I'd much rather have my users pick strong passwords and not change them often than pick weak passwords because I insist they change them often. Sure, it's not just an either/or, but on the list of my concerns about system security, how frequently users update their passwords ranks WAAAAY down on the list.

  3. You're God damn right I wouldn't by Anonymous Coward · · Score: 5, Insightful

    What benefit would there be in reporting a security breach? Workers, especially in the public sector, are increasingly being treated as the enemy when they report this sort of thing. Governments have created an environment where any sort of whistle-blowing is viewed as a hostile action, and employees are often rewarded with termination, lawsuits, or jail time. Until that climate changes for the better, I'm just going to do my job and keep my fucking mouth shut.

  4. So... by fuzzyfuzzyfungus · · Score: 4, Insightful

    What percentage of them would expect to receive zero praise and potential reprisal if they did report a security problem?

    Yeah, sure, it's depressing that people aren't courageous moral heroes, or motivated to go above and beyond, most of the time, especially about boring stuff or things likely to get them in trouble.

    Guess what? That's one of the areas where management is supposed to be earning its money. One of the differences between an effective organization and a trainwreck is how good the flow of information is: are important observations from the periphery being collated and passed on so that HQ can actually achieve a coherent larger picture of the world? Are directions and information passed back down usefully informed by that picture? Or do you have unrealistic demands and buzzword nonsense flowing down; and soothing lies flowing up?

    This doesn't mean that 100% of employees are innocent('insider threats' are a subset of 'people who wouldn't report a security breach', since they create them; but not a terribly large subset); but if you have this problem on a large scale, that's because your organization is dysfunctional.

  5. Maybe because security people are dicks? by gestalt_n_pepper · · Score: 4, Insightful

    At my nameless three letter organization, here's how security works.

    "Oh, you didn't name your database server according to our specifications required by our lame monitoring tool that can't handle nonstandard system names? Rename your server. Oh, and if it breaks the database, that's your problem."

    "We just patched all the servers for greater security. Too bad you can't use your software to control or monitor them anymore, but that's your problem."

    "Due to a breach, everyone must change their password. Too bad it happened while you were off for a few days and needed to log in for an emergency, but that's your problem."

    Security's motto: We break stuff, put ALL the burden on the users, walk away AND we get paid for it!

    I don't know any other job where you can receive money for making stuff *not* work.

    --
    Please do not read this sig. Thank you.
    1. Re:Maybe because security people are dicks? by Anonymous Coward · · Score: 5, Insightful

      Actually, security's motto is "If you can do your job, we're not doing ours."

  6. Lies, damn lies and statistics. by jklovanc · · Score: 4, Insightful

    What were the actual questions? Was it worded to elicit no's? Did the respondents understand the question?
    What was the definition of "major security breach"? Was the threshold so low that things like not changing a password every 30 days is a major security breach? Who responded to the survey? Were they people who only see low level issues?

    Surveys can be tailored to get any desired response.

  7. Re:suspect it's much worse in the private sector by Anonymous Coward · · Score: 2, Insightful

    Given that public jobs are relatively secure, you can assume this issue is much worse in the private sector.

    I wouldn't bet on that. Private sector involves losses and someone would be held to account. It really depends on the size and setup of the org.

    If you see a problem and point it out, you will be held to account unless you do everything you can to fix it. In a large organization, odds are you won't have the power to fix it, and you will get blamed for failing to fix it. If you don't tell anyone you see a problem, you can deny you knew there was a risk of a problem. Rational actors become less willing to report problems when people are "held to account", because *they* won't be held to account unless they admit they know of an issue.

    My last two employers had amazingly terrible security for exactly this reason. Everyone knew that anyone who pointed out a problem would be the scapegoat if anything went wrong. I now work in a private company which has a policy of "blameless post-mortems" for exactly this reason. By making an explicit rule that people will not be punished if they explain what went wrong and make a good faith effort to fix it, you actually get things fixed instead of "holding people to account".

  8. Private sector's no better, probably worse by __roo · · Score: 4, Insightful

    People will trade their passwords for a candy bar.

    Plus, public sector workers at least have some job security. I've worked in the private sector for 20+ years, there's a reason it's called "at-will" employment. Sticking your neck out to report a breach won't win you any friends, doesn't gain you anything, and if it get someone who's politically savvy in trouble it could blow back on you. Safer and easier to keep quiet and keep your job.

    I wish it weren't like that—and to be fair, the best teams I've worked with weren't (and aren't!) like that. But way too many offices run that way, and politics and sleaziness beats honesty and ethics nine times out of ten.

    --
    Building Better Software
  9. when reporting one takes filling out a TPS report by Joe_Dragon · · Score: 4, Insightful

    when reporting one takes filling out a TPS report and talking to 8 different higher ups meany non tech people who wants to do it?