Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //


08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb

Government Workers Believe Security Is Someone Else's Job

A study from Dtex Systems finds a growing disconnect between government employees and the organizations that they work for over who is ultimately responsible for maintaining good security practices.

This week, Dtex Systems released a new report, "Uncovering the Gaps: Security Perceptions and Behaviors of Today’s Government Employees," looking at government workers and organizational security.

The study is based on responses from more than 1,000 public and private sector employees who are based in the US and are thought to be some of the most security conscious in government since they have security clearance across either federal, state or local levels.

However, the results demonstrate that there is a widespread expectation among respondents that it is the organization that assumes the responsibility of protecting sensitive work data and devices.

The study shows that there is a definite disconnect among respondents when it comes to tying their individual behaviors -- no matter if they are responsible or risky -- to any effects on overall organizational security.

Indeed, only 13% of respondents believe that they have complete personal responsibility for the security of their work devices or information. Another 48% told researchers that they have no responsibility for it at all.

This may be rooted in a strong belief in their organization's ability to serve as a data protector. But one in three -- 29% -- of the employees believe that they are more likely to be struck by lightning than have their work data compromised.

In fact, they fear file theft only slightly more than public speaking or alien invasion.

The survey also found that only half -- 52% -- of these employees believe that IT security is everyone's responsibility, or their own personal responsibility. The responsibilities were deflected elsewhere. About 48% believed that the responsibility for IT security fell on someone else in the organization, such as senior leadership (10%), colleagues (8%), or the IT team (30%).

These employees may assume that they are protected against potential consequences of their individual behaviors by organizational security.

The study also showed a gap in respondents engaging in secure practices.

While 90% of government employees perceive using an encrypted file system as an important security practice, only one in three reported using one in the previous two months. Similarly, of the 92% who noted that updating anti-virus software is critical, a only half -- 46% -- actually did so in the same time period.

The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

Reporting on a co-worker's risky behavior showed the same gap. While 86% of respondents accepted its importance, only 15% had done so in the last 60 days. Indeed, only 43% of those surveyed had ever reported such behavior at any time.

This has great relevance when the idea of an insider threat is considered. About 42% of those surveyed were found to believe that insider threats will pose the greatest risk to the security of their organization. However, only about the same number were able to correctly identify "insider threat" as an IT term -- not very reassuring.

The report shows that government employees remain a significant risk to the organization because of their belief in the security of the organization itself. Education may help to disabuse some of these notions, but they seem pervasive enough to be a continuing security threat.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...