Survey: 2/3 of Public Sector Workers Wouldn't Report a Security Breach
An anonymous reader sends news of a survey of workers in the public sector conducted by Daisy Group, a British IT firm, which found that 64% of them would stay quiet about a security breach they noticed. The survey also found that 5% of workers admitted to disabling the password protection features on their work devices, and 20% said they don't update their passwords regularly. Daisy Group's Graham Harris said, "When it comes to data security, all too often organisations focus purely on IT processes and forget about the staff that will be using them. Human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force." 16% of respondents said they didn't know if data protection was an important part of their company's security practices.
Being fired is extreme, but in at least two companies I worked for, there was a strong "you broke it, you bought it" mentality to this sort of thing. If you found a security issue, you were expected to move across the corporation until it got fixed. Derailing your actual job, your personal life, and just about any hope of happiness until it got fixed. Of course you don't report it.
The issue frequently is that IT is seen as the cost center to reduce most, so getting someone in IT to a) acknowledge it is an issue not user error/invalid use case requires champion effort, b) the IT guys that exist are marginally competent, the good ones are too expensive to work here full time, c) frequently users are told how dumb they are, so they aren't even sure if they've found an issue or "I must be doing something wrong", d) how did you find it in the first place? Were you doing something you shouldn't? HMMM?