Slashdot Mirror

← Back to Stories (view on slashdot.org)

Survey: 2/3 of Public Sector Workers Wouldn't Report a Security Breach

Posted by Soulskill on from the time-to-hand-out-some-free-whistles dept.

An anonymous reader sends news of a survey of workers in the public sector conducted by Daisy Group, a British IT firm, which found that 64% of them would stay quiet about a security breach they noticed. The survey also found that 5% of workers admitted to disabling the password protection features on their work devices, and 20% said they don't update their passwords regularly. Daisy Group's Graham Harris said, "When it comes to data security, all too often organisations focus purely on IT processes and forget about the staff that will be using them. Human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force." 16% of respondents said they didn't know if data protection was an important part of their company's security practices.

11 of 150 comments (clear)

  1. all of that can be fixed by ganjadude · · Score: 4, Funny

    if only we give the government more money

    --
    have you seen my sig? there are many others like it but none that are the same
  2. comment subject here by Falos · · Score: 5, Insightful

    Do we give out points on evaluations for "fully complies with security policy every time"? No, we slam plebs with metrics and quotas, after a childhood revolving around GPAs and diploma checkboxes and life-story-in-one-page application rodeos. We've trained society to game the system and if they're giving fucks in a certain, limited fashion, it's because the world only gives fucks in a certain, limited fashion.

    Of-fucking-course they game the system. "Fear of reprisal" isn't even a core symptom.

  3. Password updating by ngc5194 · · Score: 5, Insightful

    Okay, the bit about how many folks wouldn't report a security breach is disturbing, but what's the fixation with updating passwords? I've been working in computer security for decades, and I almost never update passwords unless I'm required to or there is an incident. I'd much rather have my users pick strong passwords and not change them often than pick weak passwords because I insist they change them often. Sure, it's not just an either/or, but on the list of my concerns about system security, how frequently users update their passwords ranks WAAAAY down on the list.

  4. You're God damn right I wouldn't by Anonymous Coward · · Score: 5, Insightful

    What benefit would there be in reporting a security breach? Workers, especially in the public sector, are increasingly being treated as the enemy when they report this sort of thing. Governments have created an environment where any sort of whistle-blowing is viewed as a hostile action, and employees are often rewarded with termination, lawsuits, or jail time. Until that climate changes for the better, I'm just going to do my job and keep my fucking mouth shut.

  5. So... by fuzzyfuzzyfungus · · Score: 4, Insightful

    What percentage of them would expect to receive zero praise and potential reprisal if they did report a security problem?

    Yeah, sure, it's depressing that people aren't courageous moral heroes, or motivated to go above and beyond, most of the time, especially about boring stuff or things likely to get them in trouble.

    Guess what? That's one of the areas where management is supposed to be earning its money. One of the differences between an effective organization and a trainwreck is how good the flow of information is: are important observations from the periphery being collated and passed on so that HQ can actually achieve a coherent larger picture of the world? Are directions and information passed back down usefully informed by that picture? Or do you have unrealistic demands and buzzword nonsense flowing down; and soothing lies flowing up?

    This doesn't mean that 100% of employees are innocent('insider threats' are a subset of 'people who wouldn't report a security breach', since they create them; but not a terribly large subset); but if you have this problem on a large scale, that's because your organization is dysfunctional.

  6. Maybe because security people are dicks? by gestalt_n_pepper · · Score: 4, Insightful

    At my nameless three letter organization, here's how security works.

    "Oh, you didn't name your database server according to our specifications required by our lame monitoring tool that can't handle nonstandard system names? Rename your server. Oh, and if it breaks the database, that's your problem."

    "We just patched all the servers for greater security. Too bad you can't use your software to control or monitor them anymore, but that's your problem."

    "Due to a breach, everyone must change their password. Too bad it happened while you were off for a few days and needed to log in for an emergency, but that's your problem."

    Security's motto: We break stuff, put ALL the burden on the users, walk away AND we get paid for it!

    I don't know any other job where you can receive money for making stuff *not* work.

    --
    Please do not read this sig. Thank you.
    1. Re:Maybe because security people are dicks? by Anonymous Coward · · Score: 5, Insightful

      Actually, security's motto is "If you can do your job, we're not doing ours."

  7. Re:Reprisal.. by Austerity+Empowers · · Score: 4, Interesting

    Being fired is extreme, but in at least two companies I worked for, there was a strong "you broke it, you bought it" mentality to this sort of thing. If you found a security issue, you were expected to move across the corporation until it got fixed. Derailing your actual job, your personal life, and just about any hope of happiness until it got fixed. Of course you don't report it.

    The issue frequently is that IT is seen as the cost center to reduce most, so getting someone in IT to a) acknowledge it is an issue not user error/invalid use case requires champion effort, b) the IT guys that exist are marginally competent, the good ones are too expensive to work here full time, c) frequently users are told how dumb they are, so they aren't even sure if they've found an issue or "I must be doing something wrong", d) how did you find it in the first place? Were you doing something you shouldn't? HMMM?

  8. Lies, damn lies and statistics. by jklovanc · · Score: 4, Insightful

    What were the actual questions? Was it worded to elicit no's? Did the respondents understand the question?
    What was the definition of "major security breach"? Was the threshold so low that things like not changing a password every 30 days is a major security breach? Who responded to the survey? Were they people who only see low level issues?

    Surveys can be tailored to get any desired response.

  9. Private sector's no better, probably worse by __roo · · Score: 4, Insightful

    People will trade their passwords for a candy bar.

    Plus, public sector workers at least have some job security. I've worked in the private sector for 20+ years, there's a reason it's called "at-will" employment. Sticking your neck out to report a breach won't win you any friends, doesn't gain you anything, and if it get someone who's politically savvy in trouble it could blow back on you. Safer and easier to keep quiet and keep your job.

    I wish it weren't like that—and to be fair, the best teams I've worked with weren't (and aren't!) like that. But way too many offices run that way, and politics and sleaziness beats honesty and ethics nine times out of ten.

    --
    Building Better Software
  10. when reporting one takes filling out a TPS report by Joe_Dragon · · Score: 4, Insightful

    when reporting one takes filling out a TPS report and talking to 8 different higher ups meany non tech people who wants to do it?