Survey: 2/3 of Public Sector Workers Wouldn't Report a Security Breach 150
An anonymous reader sends news of a survey of workers in the public sector conducted by Daisy Group, a British IT firm, which found that 64% of them would stay quiet about a security breach they noticed. The survey also found that 5% of workers admitted to disabling the password protection features on their work devices, and 20% said they don't update their passwords regularly. Daisy Group's Graham Harris said, "When it comes to data security, all too often organisations focus purely on IT processes and forget about the staff that will be using them. Human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force." 16% of respondents said they didn't know if data protection was an important part of their company's security practices.
all of that can be fixed (Score:5, Funny)
Re: (Score:2)
if only we give the government more money
Yes, but only if the money is spent on private contractors with a profit motive. An extra middle man with a profit motive, on top of any actual requirements, always makes things better, even Mid East wars.
Re: (Score:2)
It will be fixed when all public bureaucrats are replaced by software running at minimal expenditure and not open to lobbying. Allowing us to provide actual welfare to every citizen like, if you're in the states at least, is promised in the constitution.
Re: (Score:2)
The Constitution does not promise anything to the citizens of the US. What kind of crap civics class did you attend, and why haven't you read the document yourself since then?
Re: (Score:2)
That's the Preamble, which describes the goals of the Constitution. It does not have any legal force, and should not be considered a promise. Consider it an attempt to lay out the spirit of the Constitution, and that those are proper US goals.
Re: (Score:2)
It is about politics.
In the public sector it isn't about your wins, but how bad your losses are.
If you report a problem, it gets escalated all the way to the top, where you get your elected officials who got there because they talk. Where then it goes back down to find the person to fire because of the issue. The general public will not be happy until they fire someone for the issue. Granted the person who made the mistake are probably the one who will not cause it again. But you fire them, shame them
Humans (Score:2)
The weakest link.
Re: (Score:2)
I'd love to see the private sector version of this. ... I really haven't noticed private sector behavior being any better.
The result would be about the same. People are people. There is far more variation in culture between different organisations (including between different government offices) than there is any public/private divide in this. I've seen it all, including working in the UK Admiralty at one time where the security was fanatical.
As for TFA (I've followed the links) I find the 2/3 figure hard to believe and the article is light on facts and the form of the questions. Perhaps the 2/3 would not report in a ca
Re: (Score:3)
I suspect the 2/3rds figure is coming from the fact that the person creating the gap in security is above a given person on the org chart. Pissing off your superiors is a great example of a Career Limiting Event. Rank has its privileges. I have not yet seen an organization of any appreciable size, public or private, where those at the top do not consider themselves above security policy. That's for the plebs, kind of like how taxes are for little people. While your typical rank and file worker may have
Re: (Score:2)
As for TFA (I've followed the links) I find the 2/3 figure hard to believe and the article is light on facts and the form of the questions. Perhaps the 2/3 would not report in a case where they knew it was their own fault. I'm guessing, as I see no reason not to report any other breach that came to light. The resulting flap it would make an interesting diversion to the usual dull routine.
No, I'd believe it. Even ignoring the obvious reasons like "this security breach makes my life/job/day easier", there's the basic one - when you report a breach, the questions tend to start on "how do you find out?" "What were you doing to notice such a thing?" "That's not part of your job, so what weren't you doing in order to do this thing you're not supposed to do?", and that's if you're lucky enough that it stays internal and you don't get the Full Whistleblower Special.
Counter this with - what's in it
comment subject here (Score:5, Insightful)
Of-fucking-course they game the system. "Fear of reprisal" isn't even a core symptom.
Re:Game the System (Score:2)
Re: (Score:2)
Re: (Score:2)
Why did you comment before reading the rest of the GP's comment?
Password updating (Score:5, Insightful)
Except you didn't, therefore (Score:1)
your post only proves his point: it's a scare tactic, making you change passwords frequently or periodically. Hell, a good password when muscle memory has worked out how to type it is typed too fast for shoulder surfing to work. You'd need to take video footage and replay on slow mode.
Muscle memory for typing, though, takes time. And changing passwords means you have no time.
And you have to write it down or make it easy to remember (therefore easy to guess).
Re: (Score:2)
Also every single place with a complicated password policy ends up with users choosing the most similar types of simple password that are allowed. They then write them down because they can't remember them. You can always tell when some jackass has got in charge of password security because a long keyphrase like "Goats jumping over the martian plains!" gets rejected, but "abc123!@#" gets accepted because it has a number in it.
Re: (Score:2)
I work in state government and not only do I have to change the password every 30 days but I can't repeat any password combination I used in the past 30 times. To make it worse, if I don't change the password within the 30 days the system locks me out requiring IT to reset it. Lastly, I am required to take security training every 6th change before the system will allow me to change it. And that training doesn't ever change the questions... I get 100% on it every time.
It has gotten to the point of ridiculous
Re: (Score:2)
If you leave the organization forced-password change means after a set time 60-90 days you cannot log in anymore if someone didn't properly close your accounts and same for the shared account passwords.
Yes, if companies had proper HR-to-IT checkout procedures and shared accounts went away this wouldn't be an issue and your passwords could stay the same, but sadly, the password change is the best approximation most places have to functioning procedures.
Re: (Score:2)
but sadly, the password change is the best approximation most places have to functioning procedures.
No it isn't. The solution is quite simply to put IT on the same aliases that HR uses to communicate terminations with accounting and their internal staff along with every alias that management uses to communicate terminations with HR. This way IT finds out about Jim John getting canned along with everyone else. There's no "privacy issue" either since any properly setup IT department can access anyones company Email as needed anyway.
Re: (Score:3)
Re: (Score:2)
There is a point, if passwords are sent encrypted over insecure channels, for instance a VPN connection. Encrypted passwords can be brute-force solved, it may take years. So if your 25 year veteran employee has never changed their VPN password, the hackers have potentially had 25 years to brute force his password.
Re: (Score:2)
If somebody is spending 25 years of their life to crack your password, you may have other problems...
Re: (Score:2)
Well, once you've cracked the VPN traffic the password is almost a secondary concern, isn't it?
This is the wrong way to think about security, e.g. for a hypothetical world where users adhere to anything you demand of them no matter how intrusive or onerous that is. In reality if you decide that usability and convenience aren't factors in your planning then that's actually an oversight which will come back to bite you on the ass someday. The only thing you can say for that approach of wishing usability away
beat that straw man, beat it hard (Score:2)
for a hypothetical world where users adhere to anything you demand of them no matter how intrusive or onerous that is.
maybe you can get a few of your friends to help you beat on that straw man, that's not what I said AT ALL
Re: (Score:2)
You're the one worried about passwords that can be broken in 25 years; that's a non-issue. The issue is security that works well enough for long enough and is workable for the users. Impressive sounding, inflated requirements means something else has to give: price, performance, or usability.
Re: (Score:2)
Actually, the basic argument is flawed.
Brute force password cracking is a guessing exercise. So a password can be cracked in 25 years - that sounds not too bad, right?
But actually there is 4% chance the password can be cracked within 1 year, a 1% chance it can be cracked in 3 months, a 0.03% chance it can be cracked in a day.
And these probabilities are the same whether you change your password or not!
So you need a better mitigation against password cracking. Not losing your hashes would be a good start, lim
Re: (Score:2)
And these probabilities are the same whether you change your password or not!
the probability of the cracked password working is ZERO if the password has been changed
Re: (Score:2)
So it is ok that the attacker cracked your password, just because he can only use it for a few weeks? That is an odd idea of security.
Re: (Score:3)
I agree to some extent - frequent changes hurts more than it helps. Changing password shall be when it's considered necessary, and it's only you that uses the password that can decide that.
But to increase security a 2-factor authentication shall be used, so that you need to combine with a keycard or similar in order to gain access. That will make it harder for anyone that wants to gain access to the net.
But if you want higher security you should also build your net within a company on segments so that there
agreed . 18 years in infosec here (Score:3)
I've been doing infosec for 18 years and fully agree. Forcing people to change passwords simply forces them to increment a number at the end or write them down. It also forces you to allow more failures in your brute force detection.
With pass phrases, it's mostly about using LONG ones. Yeah, pass phrases, not passwords. Then make damn sure your not using des hashes or something else that truncates passwords anywhere.
Re: (Score:3, Interesting)
Posting AC on this just because this is a common topic:
Updating passwords is a quick band-aid, mainly to show that after a breach, -something- is done. So, the first thing done is that the Windows admin runs:
dsquery user | dsmod user -mustchpwd yes
and the place says they have "taken proper security precautions".
As for reporting security breaches, here in the US, one is bred from birth (if they are born in the 1990s or later) to "sit down, shut up, and stop snitchin'". A good example of what happens if one
Re: (Score:2)
Exactly. This is why my work passwords have always been XX or XXX depending on the the number of characters required and the word I chose. I've been doing it that way for almost 20 years.
Re: (Score:1)
Okay, the bit about how many folks wouldn't report a security breach is disturbing, but what's the fixation with updating passwords?
Not reporting security breaches makes perfect sense. How many stories have we seen here about people being arrested or sued for reporting security holes or breaches? Work groups (public or private) tend to shun people who 'rock the boat,' and reporting unsafe work practices is definitely rocking the boat. I don't know why TFA focuses on public sector, but I'd put pretty long odds on private company employees having a much better report rate.
Re:Password updating (Score:4, Funny)
suspect it's much worse in the private sector (Score:1)
Given that public jobs are relatively secure, you can assume this issue is much worse in the private sector.
Re: (Score:2, Insightful)
Given that public jobs are relatively secure, you can assume this issue is much worse in the private sector.
I wouldn't bet on that. Private sector involves losses and someone would be held to account. It really depends on the size and setup of the org.
If you see a problem and point it out, you will be held to account unless you do everything you can to fix it. In a large organization, odds are you won't have the power to fix it, and you will get blamed for failing to fix it. If you don't tell anyone you see a problem, you can deny you knew there was a risk of a problem. Rational actors become less willing to report problems when people are "held to account", because *they* won't be held to account unless they admit they know of an issue.
My last two em
Re: (Score:2)
Oh yes.. the good old "I want solution, and everything you're bringing me is problems". Noticing problems often is simply not "visionary" enough and pointing out those problems slow down the whole "team" on the way to their "mission goals".
If nothing goes wrong, such management will win big, really big, including being on the next management magazine title. And no one cares for the 90% that fail big with that management style. Current culture bought into the "Prof. Pigskin"-Scam wholesale.
Re:Reprisal.. (Score:5, Interesting)
Being fired is extreme, but in at least two companies I worked for, there was a strong "you broke it, you bought it" mentality to this sort of thing. If you found a security issue, you were expected to move across the corporation until it got fixed. Derailing your actual job, your personal life, and just about any hope of happiness until it got fixed. Of course you don't report it.
The issue frequently is that IT is seen as the cost center to reduce most, so getting someone in IT to a) acknowledge it is an issue not user error/invalid use case requires champion effort, b) the IT guys that exist are marginally competent, the good ones are too expensive to work here full time, c) frequently users are told how dumb they are, so they aren't even sure if they've found an issue or "I must be doing something wrong", d) how did you find it in the first place? Were you doing something you shouldn't? HMMM?
Re: (Score:2)
You hear too often about someone who disclosed a security issue and was fired/sued for "hacking" or some other ridiculous reasoning.
Edward Snowden disclosed a security issue, and look what happened to him.
You're God damn right I wouldn't (Score:5, Insightful)
What benefit would there be in reporting a security breach? Workers, especially in the public sector, are increasingly being treated as the enemy when they report this sort of thing. Governments have created an environment where any sort of whistle-blowing is viewed as a hostile action, and employees are often rewarded with termination, lawsuits, or jail time. Until that climate changes for the better, I'm just going to do my job and keep my fucking mouth shut.
Re: (Score:2)
Re: (Score:2)
The problem is they'll execute them when they report it as well. Better to ignore the breach and hope for the best.
Re: (Score:2)
Mod parent up!
For exactly those reasons, I would seriously consider keeping quiet and letting someone else take the hit. If management has made it clear that reporting risks is forbidden, why do it?
Re: (Score:2)
It's too bad I wasn't included in this survey. Because I do report all my security breaches.
Nothing beats a 6pt dark Papyrus font at the end of a boring 400 slides powerpoint presentation. I also email that powerpoint presentation to everyone using the "To:" field. In my experience, the more people I include in an email, the less likely anyone is going to read what I have to say. I may get a few hate emails as a result, but that's good. I print those out, and I keep them just in case I need corroborating ev
So... (Score:5, Insightful)
Yeah, sure, it's depressing that people aren't courageous moral heroes, or motivated to go above and beyond, most of the time, especially about boring stuff or things likely to get them in trouble.
Guess what? That's one of the areas where management is supposed to be earning its money. One of the differences between an effective organization and a trainwreck is how good the flow of information is: are important observations from the periphery being collated and passed on so that HQ can actually achieve a coherent larger picture of the world? Are directions and information passed back down usefully informed by that picture? Or do you have unrealistic demands and buzzword nonsense flowing down; and soothing lies flowing up?
This doesn't mean that 100% of employees are innocent('insider threats' are a subset of 'people who wouldn't report a security breach', since they create them; but not a terribly large subset); but if you have this problem on a large scale, that's because your organization is dysfunctional.
Re: (Score:1)
Exactly. I have reported security breaches, and then been investigated because I noticed it and reported it. In one notable occurrence, the security investigator ultimately cleared me, and then stated in their report that "someone should be told about this".
When that's the response you get, little wonder that anyone would follow up.
Re: (Score:2)
To be fair, Target took a serious hit in earnings for a security leak of unknown importance. Whether the lost earnings were proportionate to the offense, I don't know, and I also don't know what Target's culpability is (they were obviously negligent to a certain amount, but everybody is).
Re: (Score:1)
Yeah, sure, it's depressing that people aren't courageous moral heroes, or motivated to go above and beyond, most of the time, especially about boring stuff or things likely to get them in trouble.
How many of those surveyed would even know if they found a security issue?
Computer did something funny - "glitch", reboot it. Is it working now? Yes - keep working. No - Reboot it a few more times.
Big piles of sensitive documents in a dumpster- "they" must have made sure it was ok to put them there.
Strange person wandering about the place - "They" must have let him in.
Computers being sold on Ebay - "They" would have erased them properly.
Company selling highly sensitive details about people - "They " wouldn'
Re: (Score:2)
What's wrong with that?
"they" are always there to point out when there are more than 3 pencils per person and months ordered. "They" know if you spend longer than 5 minutes at the water cooler. "They" are checking everyone's bags and pockets at the entrance.
They're taking care of all that small stuff. So of course "they" would notice such big issues as sensitive documents in the dumpster, wouldn't they?
Maybe because security people are dicks? (Score:5, Insightful)
At my nameless three letter organization, here's how security works.
"Oh, you didn't name your database server according to our specifications required by our lame monitoring tool that can't handle nonstandard system names? Rename your server. Oh, and if it breaks the database, that's your problem."
"We just patched all the servers for greater security. Too bad you can't use your software to control or monitor them anymore, but that's your problem."
"Due to a breach, everyone must change their password. Too bad it happened while you were off for a few days and needed to log in for an emergency, but that's your problem."
Security's motto: We break stuff, put ALL the burden on the users, walk away AND we get paid for it!
I don't know any other job where you can receive money for making stuff *not* work.
Re:Maybe because security people are dicks? (Score:5, Insightful)
Actually, security's motto is "If you can do your job, we're not doing ours."
Maybe because users feel entitltled (Score:2)
Security systems need to work for everyone not just you. The more "special cases" the weaker the security is.
Oh, and if it breaks the database, that's your problem.
If renaming a server is not easily fixed by a config change then whoever wrote the system is an idiot. Sorry but we can't deal with your and the other 20 naming schemes that individuals though were "cool".
We just patched all the servers for greater security. Too bad you can't use your software to control or monitor them anymore, but that's your problem.
If you are relying on a outdated control or monitoring software it is your problem. Your software may even be using the security flaw.
Due to a breach, everyone must change their password. Too bad it happened while you were off for a few days and needed to log in for an emergency, but that's your problem.
This is exactly the same as a person forgetting their password i
Re: (Score:2)
a user will always choose dancing pigs over security every time. Get in the way of their work, and users will figure out very creative ways around it. Or users will do very
FTFY (Score:2)
Get in the way of the method people want to do their work, and users will figure out very creative ways around it.
Some users think their way is the only and/or best way to do things. Their priorities are the most important no matter how much damage it can do to the company. Nothing else matters.
Tell a user they can get free apps, and they'll install and use SSH and the command line...
Not sure if you think that is funny but it is definitely untrue.
Re: (Score:2)
a user will always choose dancing pigs over security every time. Get in the way of their work, and users will figure out very creative ways around it.
That's because management will choose Getting It Done Now over Following The Rules every time. I've yet to meet a manager who, when it comes down to the deadline, won't tell me to "figure something a way to make it happen".
Which is the unspoken problem in the earlier post - it's all well and good that you updated your documentation, and now all the servers names are ISO certified. But if you forgot to tell anyone you were doing it, and now all the tools and reports that get used to keep the business running
Re: (Score:2)
This is pretty much what happens when "Security" is a separate business group. Security-oriented admin groups can usually manage to balance security versus operational requirements, but if your only job is making things more secure and there's zero penalty for making things non-functional, well... honestly, I'd probably do the same thing.
100% This. (Score:2)
This this this!
I have run into this countless times.
They basically enact some draconian security policy regardless of any other consequences. It breaks stuff all the time. The response you get back is typically, too bad, this is how things are now, deal with it, it is your problem. They are a level above all IT that make arbitrary decisions, oftentimes ridiculous ones, and even going to the highest level of IT infrastructure, they are like sorry, nothing we can do, you'll have to take it up with Security.
An
Re: Maybe because security people are dicks? (Score:1)
I use the casino analogy. A casino has lots of cash and no shortage of shady characters. Yet they don't search my bags our body scan me when I walk in. However, their threat detection is really good and if something happens there will be an instant response. They have actual security.
Contrast that with the TSA or government and private offices where they harass people just to get in the front door because harassing people is easier than actually doing something useful. Plus it make the public or CEO th
rolleyes (Score:2)
data protection isn't just a helpful suggestion, it's the LAW!
I can, will and have gone Jurassic Park on any public servant or official I catch accessing data for anything other than specified work related tasks. If you're trusted with private data, then I swear on my left nut I will destroy you if you breach that trust.
Re: (Score:2)
Hell yes.
Re: (Score:2)
If you're trusted with private data, then I swear on my left nut I will destroy you if you breach that trust.
summary execution without jury trial or even an arrest, yes indeed you are a pillar of civilization
Re: (Score:2)
I can, will and have gone Jurassic Park
You cloned them from a tiny drop of blood?
Just so we're all clear on this... (Score:2)
Just so we're all clear on this, what is the current official party line? Should we be reporting or not be reporting?!
Lies, damn lies and statistics. (Score:5, Insightful)
What were the actual questions? Was it worded to elicit no's? Did the respondents understand the question?
What was the definition of "major security breach"? Was the threshold so low that things like not changing a password every 30 days is a major security breach? Who responded to the survey? Were they people who only see low level issues?
Surveys can be tailored to get any desired response.
QA (Score:2)
This is why you have QA people, you pay them to tell you the things that everyone else is afraid to tell you. Management pays more attention when QA reports security problems, because it is their job.
Insert free advert for Daisy Group .. (Score:1)
Private sector's no better, probably worse (Score:5, Insightful)
People will trade their passwords for a candy bar [bbc.co.uk].
Plus, public sector workers at least have some job security. I've worked in the private sector for 20+ years, there's a reason it's called "at-will" employment. Sticking your neck out to report a breach won't win you any friends, doesn't gain you anything, and if it get someone who's politically savvy in trouble it could blow back on you. Safer and easier to keep quiet and keep your job.
I wish it weren't like that—and to be fair, the best teams I've worked with weren't (and aren't!) like that. But way too many offices run that way, and politics and sleaziness beats honesty and ethics nine times out of ten.
Re: (Score:2)
Sticking your neck out to report a breach won't win you any friends, doesn't gain you anything, and if it get someone who's politically savvy in trouble it could blow back on you. Safer and easier to keep quiet and keep your job.
This technique is practiced by all public servants and it is called "Tosspottery". [urbandictionary.com]
Re: (Score:2)
This technique is practiced by all public servants and it is called "Tosspottery". [urbandictionary.com]
all? really? (How would you even be able to pick up such a brush?)
Re: (Score:2)
This technique is practiced by all public servants and it is called "Tosspottery". [urbandictionary.com]
all? really? (How would you even be able to pick up such a brush?)
Well as a practicing tosspot myself I have to maintain my tosspottery skills if I ever need them for the public service.
Actually its my mistake, I meant to edit "all" out of that sentence. Thanks for pointing that out, it seems right that 2/3 of the public service are covering their asses from the practicing tosspots.
Re: (Score:2)
Did they ever check to see if those were real passwords? Somebody wants my password for a candy bar I like, I'll be happy to make up a password and give it to them. It's mine if I made it up, and whether it ever has worked or ever will work on a system somewhere really isn't my concern.
when reporting one takes filling out a TPS report (Score:5, Insightful)
when reporting one takes filling out a TPS report and talking to 8 different higher ups meany non tech people who wants to do it?
Been there; done that. (Score:1)
in the 1990s while working in IT for a certain federal agency, I accidentally discovered that the entire C:\ drive of the PC used by a federal employee involved in negotiations over a multi-million-dollar subcontracting action had been shared out to the entire internal network where the contents could have been viewed by any of several thousand people. I wrote it up; sent it to the security folks. Their response? Crickets. Always made lots of noise about busting someone for the then-new pastime of porn surf
In other words... (Score:2)
Test the system (Score:2)
Something the FBI does with sensitive workers with security clearance in top secret projects is that they pose as foreign agents and try to buy access to their work.
The worker fails and is arrested if they accept the deal. It is basically entrapment but apparently it is legal. I don't especially mind either. I think entrapment is fine under a lot of circumstances.
If you gave me a gun with blanks in it and said I could murder some random person... I wouldn't do it. But if I tried, then I probably am not some
2/3 of public sector workers should be fired (Score:2)
The Y of It All (Score:2)
Re: (Score:1)
It's all fun and games until someone steals an ID (Score:2)
I work in the financial lending industry and I can promise you that if we slacked off on security and user credit info is leaked or stolen, it won't matter that the breach came by way of social engineering, brute force password attacks or swarms of pigeons waving flaming torches, everyone in the department gets sanctioned. Some will get reprimands, some will get demotions and some will get fired.
If it comes to a choice of losing your job or inconveniencing a user with a password change every 30, 60 or 90 da
Re: (Score:2)
So, if there's a leak and you find out about it, it may be in your best interests not to tell anybody?
Because stupid managers (Score:2)
A few years ago, at the company I work for, we got a spec to build an interface that would send passwords, in the open, to a vendor. Several of us warned upper management of the foolishness of this idea, but despite multiple attempts to push back on this request, management insisted that the process be written this way, so that is what was done. Perhaps 64% of employees would stay quiet about a security breach because so many managers are universally, fucking stupid, and it is always dangerous to tell the
They Probably Don't Need To Be Online (Score:1)
The aforementioned 2/3 of 'workers' probably don't need to be online to do their work. The simple fix is for their connection to the outside world to be snipped. Physical security measures can be used to ensure that the data is then 'protected' for the most part.
Obviously there are other means and ways for data to be stolen and leaked out, but the first order of business needs to be:
"You're too casual about security for any hardware you can access to be connected to the outside." Take away their connecti
Been there, told to do that. (Score:1)
This happens everywhere (Score:2)
I work for a multinational private company and we see the same thing, not just with security breaches.
The reality is, in most labor environments now, why would anyone make an effort to point something out that would get them marginalized or fired? This is especially true in the "outsourcing countries" -- most of the people working in these locations are extremely happy to have stable employment and will do anything they can to protect it. As a result, huge problems are hidden for as long as possible until t
"Disable password protection"? (Score:2)
Sorry, I've worked in a number of sectors, and these days for a US federal contractor, and unless you're talking about some upper manager, or someone in bed with same, I don't see how they'd do that. Everywhere I've worked, using, and changing passwords is enforced by the IT dept, and by software. Since everyone's networked these days, you don't get on otherwise. And the places I've worked have *forced* less than simple password.
The next question that comes to mind is *why* they wouldn't report a breach. A
Re: (Score:2)
don't do things that would allow it to become compromised by an attacker,
but there really isn't much point to all of this if you can't even plug your computer into the internet at all