Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Training

3/16/2018
08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Government Workers Believe Security Is Someone Else's Job

A study from Dtex Systems finds a growing disconnect between government employees and the organizations that they work for over who is ultimately responsible for maintaining good security practices.

This week, Dtex Systems released a new report, "Uncovering the Gaps: Security Perceptions and Behaviors of Today’s Government Employees," looking at government workers and organizational security.

The study is based on responses from more than 1,000 public and private sector employees who are based in the US and are thought to be some of the most security conscious in government since they have security clearance across either federal, state or local levels.

However, the results demonstrate that there is a widespread expectation among respondents that it is the organization that assumes the responsibility of protecting sensitive work data and devices.

The study shows that there is a definite disconnect among respondents when it comes to tying their individual behaviors -- no matter if they are responsible or risky -- to any effects on overall organizational security.

Indeed, only 13% of respondents believe that they have complete personal responsibility for the security of their work devices or information. Another 48% told researchers that they have no responsibility for it at all.

This may be rooted in a strong belief in their organization's ability to serve as a data protector. But one in three -- 29% -- of the employees believe that they are more likely to be struck by lightning than have their work data compromised.

In fact, they fear file theft only slightly more than public speaking or alien invasion.

The survey also found that only half -- 52% -- of these employees believe that IT security is everyone's responsibility, or their own personal responsibility. The responsibilities were deflected elsewhere. About 48% believed that the responsibility for IT security fell on someone else in the organization, such as senior leadership (10%), colleagues (8%), or the IT team (30%).

These employees may assume that they are protected against potential consequences of their individual behaviors by organizational security.

The study also showed a gap in respondents engaging in secure practices.

While 90% of government employees perceive using an encrypted file system as an important security practice, only one in three reported using one in the previous two months. Similarly, of the 92% who noted that updating anti-virus software is critical, a only half -- 46% -- actually did so in the same time period.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

Reporting on a co-worker's risky behavior showed the same gap. While 86% of respondents accepted its importance, only 15% had done so in the last 60 days. Indeed, only 43% of those surveyed had ever reported such behavior at any time.

This has great relevance when the idea of an insider threat is considered. About 42% of those surveyed were found to believe that insider threats will pose the greatest risk to the security of their organization. However, only about the same number were able to correctly identify "insider threat" as an IT term -- not very reassuring.

The report shows that government employees remain a significant risk to the organization because of their belief in the security of the organization itself. Education may help to disabuse some of these notions, but they seem pervasive enough to be a continuing security threat.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Considerations for Seamless CCPA Compliance
Anurag Kahol, CTO, Bitglass,  7/2/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12421
PUBLISHED: 2020-07-09
When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 6...
CVE-2020-12422
PUBLISHED: 2020-07-09
In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 78.
CVE-2020-12423
PUBLISHED: 2020-07-09
When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution. *Note: This issue only affects the Windows operating system; other operating sys...
CVE-2020-12425
PUBLISHED: 2020-07-09
Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.
CVE-2020-12426
PUBLISHED: 2020-07-09
Mozilla developers and community members reported memory safety bugs present in Firefox 77. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 78.