Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Training

3/16/2018
08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Government Workers Believe Security Is Someone Else's Job

A study from Dtex Systems finds a growing disconnect between government employees and the organizations that they work for over who is ultimately responsible for maintaining good security practices.

This week, Dtex Systems released a new report, "Uncovering the Gaps: Security Perceptions and Behaviors of Today’s Government Employees," looking at government workers and organizational security.

The study is based on responses from more than 1,000 public and private sector employees who are based in the US and are thought to be some of the most security conscious in government since they have security clearance across either federal, state or local levels.

However, the results demonstrate that there is a widespread expectation among respondents that it is the organization that assumes the responsibility of protecting sensitive work data and devices.

The study shows that there is a definite disconnect among respondents when it comes to tying their individual behaviors -- no matter if they are responsible or risky -- to any effects on overall organizational security.

Indeed, only 13% of respondents believe that they have complete personal responsibility for the security of their work devices or information. Another 48% told researchers that they have no responsibility for it at all.

This may be rooted in a strong belief in their organization's ability to serve as a data protector. But one in three -- 29% -- of the employees believe that they are more likely to be struck by lightning than have their work data compromised.

In fact, they fear file theft only slightly more than public speaking or alien invasion.

The survey also found that only half -- 52% -- of these employees believe that IT security is everyone's responsibility, or their own personal responsibility. The responsibilities were deflected elsewhere. About 48% believed that the responsibility for IT security fell on someone else in the organization, such as senior leadership (10%), colleagues (8%), or the IT team (30%).

These employees may assume that they are protected against potential consequences of their individual behaviors by organizational security.

The study also showed a gap in respondents engaging in secure practices.

While 90% of government employees perceive using an encrypted file system as an important security practice, only one in three reported using one in the previous two months. Similarly, of the 92% who noted that updating anti-virus software is critical, a only half -- 46% -- actually did so in the same time period.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

Reporting on a co-worker's risky behavior showed the same gap. While 86% of respondents accepted its importance, only 15% had done so in the last 60 days. Indeed, only 43% of those surveyed had ever reported such behavior at any time.

This has great relevance when the idea of an insider threat is considered. About 42% of those surveyed were found to believe that insider threats will pose the greatest risk to the security of their organization. However, only about the same number were able to correctly identify "insider threat" as an IT term -- not very reassuring.

The report shows that government employees remain a significant risk to the organization because of their belief in the security of the organization itself. Education may help to disabuse some of these notions, but they seem pervasive enough to be a continuing security threat.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5604
PUBLISHED: 2020-07-09
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
CVE-2020-5974
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
CVE-2020-15072
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
CVE-2020-15073
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
CVE-2020-2034
PUBLISHED: 2020-07-08
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect...