Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT

Survey: 2/3 of Public Sector Workers Wouldn't Report a Security Breach 150

An anonymous reader sends news of a survey of workers in the public sector conducted by Daisy Group, a British IT firm, which found that 64% of them would stay quiet about a security breach they noticed. The survey also found that 5% of workers admitted to disabling the password protection features on their work devices, and 20% said they don't update their passwords regularly. Daisy Group's Graham Harris said, "When it comes to data security, all too often organisations focus purely on IT processes and forget about the staff that will be using them. Human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force." 16% of respondents said they didn't know if data protection was an important part of their company's security practices.
This discussion has been archived. No new comments can be posted.

Survey: 2/3 of Public Sector Workers Wouldn't Report a Security Breach

Comments Filter:
  • by ganjadude ( 952775 ) on Tuesday May 19, 2015 @09:25PM (#49732209) Homepage
    if only we give the government more money
    • by Anonymous Coward

      if only we give the government more money

      Yes, but only if the money is spent on private contractors with a profit motive. An extra middle man with a profit motive, on top of any actual requirements, always makes things better, even Mid East wars.

    • by casings ( 257363 )

      It will be fixed when all public bureaucrats are replaced by software running at minimal expenditure and not open to lobbying. Allowing us to provide actual welfare to every citizen like, if you're in the states at least, is promised in the constitution.

      • by Dog-Cow ( 21281 )

        The Constitution does not promise anything to the citizens of the US. What kind of crap civics class did you attend, and why haven't you read the document yourself since then?

    • It is about politics.
      In the public sector it isn't about your wins, but how bad your losses are.
      If you report a problem, it gets escalated all the way to the top, where you get your elected officials who got there because they talk. Where then it goes back down to find the person to fire because of the issue. The general public will not be happy until they fire someone for the issue. Granted the person who made the mistake are probably the one who will not cause it again. But you fire them, shame them

  • by koan ( 80826 )

    The weakest link.

  • by Falos ( 2905315 ) on Tuesday May 19, 2015 @09:37PM (#49732285)
    Do we give out points on evaluations for "fully complies with security policy every time"? No, we slam plebs with metrics and quotas, after a childhood revolving around GPAs and diploma checkboxes and life-story-in-one-page application rodeos. We've trained society to game the system and if they're giving fucks in a certain, limited fashion, it's because the world only gives fucks in a certain, limited fashion.

    Of-fucking-course they game the system. "Fear of reprisal" isn't even a core symptom.
    • Legit. Especially given the culture of "it's only wrong if you get caught" attitude towards breaking rules that pervades so many of our high schools and trickles up into college and the work force with every graduation, and then gets reinforced with every performance evaluation or annual bonus.
  • Password updating (Score:5, Insightful)

    by ngc5194 ( 847747 ) on Tuesday May 19, 2015 @09:40PM (#49732309)
    Okay, the bit about how many folks wouldn't report a security breach is disturbing, but what's the fixation with updating passwords? I've been working in computer security for decades, and I almost never update passwords unless I'm required to or there is an incident. I'd much rather have my users pick strong passwords and not change them often than pick weak passwords because I insist they change them often. Sure, it's not just an either/or, but on the list of my concerns about system security, how frequently users update their passwords ranks WAAAAY down on the list.
    • im with you there. and ive even read some research that making people change passwords often in fact makes things worse as people tend to forget and write down passwords that change more often.
    • There is a point, if passwords are sent encrypted over insecure channels, for instance a VPN connection. Encrypted passwords can be brute-force solved, it may take years. So if your 25 year veteran employee has never changed their VPN password, the hackers have potentially had 25 years to brute force his password.

      • by thsths ( 31372 )

        If somebody is spending 25 years of their life to crack your password, you may have other problems...

      • by hey! ( 33014 )

        Well, once you've cracked the VPN traffic the password is almost a secondary concern, isn't it?

        This is the wrong way to think about security, e.g. for a hypothetical world where users adhere to anything you demand of them no matter how intrusive or onerous that is. In reality if you decide that usability and convenience aren't factors in your planning then that's actually an oversight which will come back to bite you on the ass someday. The only thing you can say for that approach of wishing usability away

        • for a hypothetical world where users adhere to anything you demand of them no matter how intrusive or onerous that is.

          maybe you can get a few of your friends to help you beat on that straw man, that's not what I said AT ALL

          • by hey! ( 33014 )

            You're the one worried about passwords that can be broken in 25 years; that's a non-issue. The issue is security that works well enough for long enough and is workable for the users. Impressive sounding, inflated requirements means something else has to give: price, performance, or usability.

    • by Z00L00K ( 682162 )

      I agree to some extent - frequent changes hurts more than it helps. Changing password shall be when it's considered necessary, and it's only you that uses the password that can decide that.

      But to increase security a 2-factor authentication shall be used, so that you need to combine with a keycard or similar in order to gain access. That will make it harder for anyone that wants to gain access to the net.

      But if you want higher security you should also build your net within a company on segments so that there

    • I've been doing infosec for 18 years and fully agree. Forcing people to change passwords simply forces them to increment a number at the end or write them down. It also forces you to allow more failures in your brute force detection.

      With pass phrases, it's mostly about using LONG ones. Yeah, pass phrases, not passwords. Then make damn sure your not using des hashes or something else that truncates passwords anywhere.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      Posting AC on this just because this is a common topic:

      Updating passwords is a quick band-aid, mainly to show that after a breach, -something- is done. So, the first thing done is that the Windows admin runs:

      dsquery user | dsmod user -mustchpwd yes

      and the place says they have "taken proper security precautions".

      As for reporting security breaches, here in the US, one is bred from birth (if they are born in the 1990s or later) to "sit down, shut up, and stop snitchin'". A good example of what happens if one

    • by Dog-Cow ( 21281 )

      Exactly. This is why my work passwords have always been XX or XXX depending on the the number of characters required and the word I chose. I've been doing it that way for almost 20 years.

    • Okay, the bit about how many folks wouldn't report a security breach is disturbing, but what's the fixation with updating passwords?

      Not reporting security breaches makes perfect sense. How many stories have we seen here about people being arrested or sued for reporting security holes or breaches? Work groups (public or private) tend to shun people who 'rock the boat,' and reporting unsafe work practices is definitely rocking the boat. I don't know why TFA focuses on public sector, but I'd put pretty long odds on private company employees having a much better report rate.

    • by Rockoon ( 1252108 ) on Wednesday May 20, 2015 @08:42AM (#49735119)
      Your password must be at least 6 characters and contain at least one of each of the following: The letter "q", the letter "w", the letter "e", the letter "r", the letter "t", and the letter "y".
  • Given that public jobs are relatively secure, you can assume this issue is much worse in the private sector.

  • by Anonymous Coward on Tuesday May 19, 2015 @09:45PM (#49732359)

    What benefit would there be in reporting a security breach? Workers, especially in the public sector, are increasingly being treated as the enemy when they report this sort of thing. Governments have created an environment where any sort of whistle-blowing is viewed as a hostile action, and employees are often rewarded with termination, lawsuits, or jail time. Until that climate changes for the better, I'm just going to do my job and keep my fucking mouth shut.

    • I think they need to be even more severe. Threat of summary execution for not reporting security breaches should bring these Subjects into line.
      • by amiga3D ( 567632 )

        The problem is they'll execute them when they report it as well. Better to ignore the breach and hope for the best.

    • by sjames ( 1099 )

      Mod parent up!

      For exactly those reasons, I would seriously consider keeping quiet and letting someone else take the hit. If management has made it clear that reporting risks is forbidden, why do it?

    • It's too bad I wasn't included in this survey. Because I do report all my security breaches.

      Nothing beats a 6pt dark Papyrus font at the end of a boring 400 slides powerpoint presentation. I also email that powerpoint presentation to everyone using the "To:" field. In my experience, the more people I include in an email, the less likely anyone is going to read what I have to say. I may get a few hate emails as a result, but that's good. I print those out, and I keep them just in case I need corroborating ev

  • So... (Score:5, Insightful)

    by fuzzyfuzzyfungus ( 1223518 ) on Tuesday May 19, 2015 @09:50PM (#49732405) Journal
    What percentage of them would expect to receive zero praise and potential reprisal if they did report a security problem?

    Yeah, sure, it's depressing that people aren't courageous moral heroes, or motivated to go above and beyond, most of the time, especially about boring stuff or things likely to get them in trouble.

    Guess what? That's one of the areas where management is supposed to be earning its money. One of the differences between an effective organization and a trainwreck is how good the flow of information is: are important observations from the periphery being collated and passed on so that HQ can actually achieve a coherent larger picture of the world? Are directions and information passed back down usefully informed by that picture? Or do you have unrealistic demands and buzzword nonsense flowing down; and soothing lies flowing up?

    This doesn't mean that 100% of employees are innocent('insider threats' are a subset of 'people who wouldn't report a security breach', since they create them; but not a terribly large subset); but if you have this problem on a large scale, that's because your organization is dysfunctional.
    • by Anonymous Coward

      Exactly. I have reported security breaches, and then been investigated because I noticed it and reported it. In one notable occurrence, the security investigator ultimately cleared me, and then stated in their report that "someone should be told about this".

      When that's the response you get, little wonder that anyone would follow up.

    • by Anonymous Coward

      Yeah, sure, it's depressing that people aren't courageous moral heroes, or motivated to go above and beyond, most of the time, especially about boring stuff or things likely to get them in trouble.

      How many of those surveyed would even know if they found a security issue?

      Computer did something funny - "glitch", reboot it. Is it working now? Yes - keep working. No - Reboot it a few more times.
      Big piles of sensitive documents in a dumpster- "they" must have made sure it was ok to put them there.
      Strange person wandering about the place - "They" must have let him in.
      Computers being sold on Ebay - "They" would have erased them properly.
      Company selling highly sensitive details about people - "They " wouldn'

      • What's wrong with that?

        "they" are always there to point out when there are more than 3 pencils per person and months ordered. "They" know if you spend longer than 5 minutes at the water cooler. "They" are checking everyone's bags and pockets at the entrance.

        They're taking care of all that small stuff. So of course "they" would notice such big issues as sensitive documents in the dumpster, wouldn't they?

  • by gestalt_n_pepper ( 991155 ) on Tuesday May 19, 2015 @09:51PM (#49732413)

    At my nameless three letter organization, here's how security works.

    "Oh, you didn't name your database server according to our specifications required by our lame monitoring tool that can't handle nonstandard system names? Rename your server. Oh, and if it breaks the database, that's your problem."

    "We just patched all the servers for greater security. Too bad you can't use your software to control or monitor them anymore, but that's your problem."

    "Due to a breach, everyone must change their password. Too bad it happened while you were off for a few days and needed to log in for an emergency, but that's your problem."

    Security's motto: We break stuff, put ALL the burden on the users, walk away AND we get paid for it!

    I don't know any other job where you can receive money for making stuff *not* work.

    • by Anonymous Coward on Tuesday May 19, 2015 @10:02PM (#49732515)

      Actually, security's motto is "If you can do your job, we're not doing ours."

    • Security systems need to work for everyone not just you. The more "special cases" the weaker the security is.

      Oh, and if it breaks the database, that's your problem.

      If renaming a server is not easily fixed by a config change then whoever wrote the system is an idiot. Sorry but we can't deal with your and the other 20 naming schemes that individuals though were "cool".

      We just patched all the servers for greater security. Too bad you can't use your software to control or monitor them anymore, but that's your problem.

      If you are relying on a outdated control or monitoring software it is your problem. Your software may even be using the security flaw.

      Due to a breach, everyone must change their password. Too bad it happened while you were off for a few days and needed to log in for an emergency, but that's your problem.

      This is exactly the same as a person forgetting their password i

      • by tlhIngan ( 30335 )

        If renaming a server is not easily fixed by a config change then whoever wrote the system is an idiot. Sorry but we can't deal with your and the other 20 naming schemes that individuals though were "cool".

        If you are relying on a outdated control or monitoring software it is your problem. Your software may even be using the security flaw.

        a user will always choose dancing pigs over security every time. Get in the way of their work, and users will figure out very creative ways around it. Or users will do very

        • Get in the way of the method people want to do their work, and users will figure out very creative ways around it.

          Some users think their way is the only and/or best way to do things. Their priorities are the most important no matter how much damage it can do to the company. Nothing else matters.

          Tell a user they can get free apps, and they'll install and use SSH and the command line...

          Not sure if you think that is funny but it is definitely untrue.

        • a user will always choose dancing pigs over security every time. Get in the way of their work, and users will figure out very creative ways around it.

          That's because management will choose Getting It Done Now over Following The Rules every time. I've yet to meet a manager who, when it comes down to the deadline, won't tell me to "figure something a way to make it happen".

          Which is the unspoken problem in the earlier post - it's all well and good that you updated your documentation, and now all the servers names are ISO certified. But if you forgot to tell anyone you were doing it, and now all the tools and reports that get used to keep the business running

    • by c ( 8461 )

      Security's motto: We break stuff, put ALL the burden on the users, walk away AND we get paid for it!

      This is pretty much what happens when "Security" is a separate business group. Security-oriented admin groups can usually manage to balance security versus operational requirements, but if your only job is making things more secure and there's zero penalty for making things non-functional, well... honestly, I'd probably do the same thing.

    • This this this!

      I have run into this countless times.
      They basically enact some draconian security policy regardless of any other consequences. It breaks stuff all the time. The response you get back is typically, too bad, this is how things are now, deal with it, it is your problem. They are a level above all IT that make arbitrary decisions, oftentimes ridiculous ones, and even going to the highest level of IT infrastructure, they are like sorry, nothing we can do, you'll have to take it up with Security.

      An

  • data protection isn't just a helpful suggestion, it's the LAW!

    I can, will and have gone Jurassic Park on any public servant or official I catch accessing data for anything other than specified work related tasks. If you're trusted with private data, then I swear on my left nut I will destroy you if you breach that trust.

    • If you're trusted with private data, then I swear on my left nut I will destroy you if you breach that trust.

      summary execution without jury trial or even an arrest, yes indeed you are a pillar of civilization

    • I can, will and have gone Jurassic Park

      You cloned them from a tiny drop of blood?

  • Just so we're all clear on this, what is the current official party line? Should we be reporting or not be reporting?!

  • by jklovanc ( 1603149 ) on Tuesday May 19, 2015 @10:42PM (#49732719)

    What were the actual questions? Was it worded to elicit no's? Did the respondents understand the question?
    What was the definition of "major security breach"? Was the threshold so low that things like not changing a password every 30 days is a major security breach? Who responded to the survey? Were they people who only see low level issues?

    Surveys can be tailored to get any desired response.

  • This is why you have QA people, you pay them to tell you the things that everyone else is afraid to tell you. Management pays more attention when QA reports security problems, because it is their job.

  • Would you please mark these as content free advertisements?
  • by __roo ( 86767 ) on Tuesday May 19, 2015 @11:12PM (#49732893) Homepage

    People will trade their passwords for a candy bar [bbc.co.uk].

    Plus, public sector workers at least have some job security. I've worked in the private sector for 20+ years, there's a reason it's called "at-will" employment. Sticking your neck out to report a breach won't win you any friends, doesn't gain you anything, and if it get someone who's politically savvy in trouble it could blow back on you. Safer and easier to keep quiet and keep your job.

    I wish it weren't like that—and to be fair, the best teams I've worked with weren't (and aren't!) like that. But way too many offices run that way, and politics and sleaziness beats honesty and ethics nine times out of ten.

    • by MrKaos ( 858439 )

      Sticking your neck out to report a breach won't win you any friends, doesn't gain you anything, and if it get someone who's politically savvy in trouble it could blow back on you. Safer and easier to keep quiet and keep your job.

      This technique is practiced by all public servants and it is called "Tosspottery". [urbandictionary.com]

      • This technique is practiced by all public servants and it is called "Tosspottery". [urbandictionary.com]

        all? really? (How would you even be able to pick up such a brush?)

        • by MrKaos ( 858439 )

          This technique is practiced by all public servants and it is called "Tosspottery". [urbandictionary.com]

          all? really? (How would you even be able to pick up such a brush?)

          Well as a practicing tosspot myself I have to maintain my tosspottery skills if I ever need them for the public service.

          Actually its my mistake, I meant to edit "all" out of that sentence. Thanks for pointing that out, it seems right that 2/3 of the public service are covering their asses from the practicing tosspots.

    • Did they ever check to see if those were real passwords? Somebody wants my password for a candy bar I like, I'll be happy to make up a password and give it to them. It's mine if I made it up, and whether it ever has worked or ever will work on a system somewhere really isn't my concern.

  • by Joe_Dragon ( 2206452 ) on Tuesday May 19, 2015 @11:53PM (#49733083)

    when reporting one takes filling out a TPS report and talking to 8 different higher ups meany non tech people who wants to do it?

  • in the 1990s while working in IT for a certain federal agency, I accidentally discovered that the entire C:\ drive of the PC used by a federal employee involved in negotiations over a multi-million-dollar subcontracting action had been shared out to the entire internal network where the contents could have been viewed by any of several thousand people. I wrote it up; sent it to the security folks. Their response? Crickets. Always made lots of noise about busting someone for the then-new pastime of porn surf

  • Morons are handling your most sensitive data.
  • Something the FBI does with sensitive workers with security clearance in top secret projects is that they pose as foreign agents and try to buy access to their work.

    The worker fails and is arrested if they accept the deal. It is basically entrapment but apparently it is legal. I don't especially mind either. I think entrapment is fine under a lot of circumstances.

    If you gave me a gun with blanks in it and said I could murder some random person... I wouldn't do it. But if I tried, then I probably am not some

  • If you're not willing to report a security breach, you don't deserve a job in the public sector, or anywhere else.
  • Despite civil service protections public employees are well aware that pointing out anything unpleasant or defective to the chain of command can cost you your job. They will fire you not for what you do but create situations with which what you do will be unacceptable. After all some big shot selected the security system and he has friends in high places. Rock his canoe by reporting a security issue and you are dead meat. The only protections for workers rest in strong unions and a legal system will
    • YEP! "whistle bower protection laws" are jokes. Doesn't change the fact they can make your life hell in ways that can't be articulated in court.
  • I work in the financial lending industry and I can promise you that if we slacked off on security and user credit info is leaked or stolen, it won't matter that the breach came by way of social engineering, brute force password attacks or swarms of pigeons waving flaming torches, everyone in the department gets sanctioned. Some will get reprimands, some will get demotions and some will get fired.

    If it comes to a choice of losing your job or inconveniencing a user with a password change every 30, 60 or 90 da

  • A few years ago, at the company I work for, we got a spec to build an interface that would send passwords, in the open, to a vendor. Several of us warned upper management of the foolishness of this idea, but despite multiple attempts to push back on this request, management insisted that the process be written this way, so that is what was done. Perhaps 64% of employees would stay quiet about a security breach because so many managers are universally, fucking stupid, and it is always dangerous to tell the

  • The aforementioned 2/3 of 'workers' probably don't need to be online to do their work. The simple fix is for their connection to the outside world to be snipped. Physical security measures can be used to ensure that the data is then 'protected' for the most part.

    Obviously there are other means and ways for data to be stolen and leaked out, but the first order of business needs to be:

    "You're too casual about security for any hardware you can access to be connected to the outside." Take away their connecti

  • I discovered a security breach at my old job and it took a massive amount of effort to get anyone to take action on it (ie give permission to take site offline, notify public), and the first set of instructions were to just delete all evidence which is why they had to send letter to all applicants, they had no idea whose information had been exposed. I was looked way down on for jumping rank every time I got the answer to just not worry about it. One of the major reasons I eventually left public sector...
  • I work for a multinational private company and we see the same thing, not just with security breaches.

    The reality is, in most labor environments now, why would anyone make an effort to point something out that would get them marginalized or fired? This is especially true in the "outsourcing countries" -- most of the people working in these locations are extremely happy to have stable employment and will do anything they can to protect it. As a result, huge problems are hidden for as long as possible until t

  • Sorry, I've worked in a number of sectors, and these days for a US federal contractor, and unless you're talking about some upper manager, or someone in bed with same, I don't see how they'd do that. Everywhere I've worked, using, and changing passwords is enforced by the IT dept, and by software. Since everyone's networked these days, you don't get on otherwise. And the places I've worked have *forced* less than simple password.

    The next question that comes to mind is *why* they wouldn't report a breach. A

Computer programmers do it byte by byte.

Working...