Second of two articles
Officially, corporations never fail to report suspected security violations, never pay ransoms to hackers, and never allow employees to use company IT systems for personal reasons.
Unofficially, they do all of those things.
According to Dark Reading's "Security Scruples" survey, which concluded today, many enterprises operate differently in private than they say they do in public. And those differences cause some concerns for IT security professionals, whose jobs are on the line.
The new data comes from a Web survey of some 649 Dark Reading readers that occurred over the past three weeks. The first half of the survey dealt with issues of personal ethics among IT and security professionals. (See Security's Rotten Apples.)
The survey responses suggest that while most companies maintain strong policies to protect their ethical and legal positions, their actual enforcement of those policies tends to vary with the situation.
For example, many states currently require enterprises to report suspected security violations to the authorities and to potentially affected end users. But in a hypothetical question, we asked IT pros what their companies would do if they discovered that a hacker had broken into their customer database -- and more than 40 percent said they would not inform their customers.
"For businesses, it comes down to which is worse: the security breach itself, or the fallout from reporting it?" says a technical consultant at an engineering company. "For most companies, reporting it is more painful, because of the potential loss of reputation and customers. So there is a natural tendency not to report [an incident]."
In post-survey interviews, some respondents said that the emerging state disclosure laws are having an impact on their incident reporting practices. Others expressed skepticism.
"For a law's teeth to sink in, the breach must first be identified, then 'known about,' then investigated, then attributed," says Charles Tuite, operations coordinator at Ball State University. "By that time, there are going to be precious few [organizations] that haven't found a way out of the situation, either by doing something as sneaky as backdating their documents" or by pointing out that their security policies note the potential for leaks, he says.
And while most companies say they will deal harshly with insiders who expose company information, some of our survey respondents said such offenders probably would get off relatively easily. When asked a hypothetical question about discovering an employee who was stealing trade secrets or customer lists for profit, nearly 20 percent of respondents said their companies would handle the situation with a warning or dismissal, without reporting the incident to law enforcement. Another 35 percent said they would report the breach to law enforcement, but try to keep it away from the public.
Companies' reluctance to report an insider breach -- at least to law enforcement -- is surprising, given that most survey respondents feel that the insider threat is the greatest danger to enterprise security. Some 43 percent of those surveyed said that "disgruntled employees who might try to sabotage company systems or processes" are the greatest single threat to their businesses.
"The insider threat is more dangerous now because it has generally been ignored," says Eric Knapp, IT security administrator at General Communications. "Up to now, everybody's eyes have been focused outward. Now that the insider threat is becoming more well known, I think there will be more action taken. We are taking more steps within our 'trust the employee' culture -- 'trust but verify,' I suppose."
The reluctance to report security incidents -- from inside or out -- could cause some companies to find themselves in sticky situations. In another hypothetical situation, we imagined that a cracker called the respondent and proved he had the power to cause millions of dollars in downtime. For a ransom of $50,000 he promises to give the exploit to the respondent's company with a promise not to distribute it to others.
Nearly 5 percent -- some 29 companies -- said they would pay the ransom, rather than first reporting it to law enforcement. "If you're a site like Amazon or one of the big organizations that might lose $5 million in less than an hour of downtime, it's a pretty easy choice to pay a relatively small ransom like that and avoid all of the negative publicity," says Chris Pierson, founder of the cybersecurity and cyberliability practice at Lewis and Roca LLP, a Phoenix law firm. (See Stolen Data's Black Market.)
While "site kidnappers" and major security breaches are relatively rare, our survey suggests that many companies are conflicted in their enforcement of everyday security policies as well. When asked about their approach toward restricting the use of company Internet connections for personal use, 37 percent said they have policies against it -- but such usage occurs regularly and IT doesn't do much about it.
Most companies view Internet use as they do the company phone -- officially, phones are only for business use, but some personal use is okay, as long as it's not out of control. But with the rapid evolution of phishing attacks, keyloggers, and other exploits, IT security managers are beginning to wonder whether their lack of enforcement of company security policies is wise.
"My users have, in the past, downloaded questionable files," says John Morgus, IT manager at Kenworth Northwest Motor Trucks. "We find out and end up removing these files, but it usually downs a workstation for a day while I clean the mess up. When confronted, the perpetrator always is 'not me.' It gets frustrating."
The attitude toward corporate email systems is generally similar. About 66 percent of survey respondents say they don't censure employees for exchanging personal email on the corporate system, and another 24 percent say they have policies against the use of company email for personal reasons, but don't enforce them.
"My company has always had a very open, 'trust the employee' policy," says one IT security administrator. "I don't see this changing, because it has been successful at getting the most out of our people. I do think we will have to expand our explanation of what we mean when we say 'use good judgment,' however."
And some IT pros believe that the lack of policy enforcement is putting their systems at risk. About 31 percent of respondents said their companies have adopted a policy which states that employees should only have access to data directly related to their work -- but in reality, a determined insider could get access to at least some user data.
"What happens in that situation is that people who have too much access -- and aren't monitored closely enough -- see an opportunity arise and take advantage of the system," says another IT administrator. "A policy isn't much good if it isn't enforced."
Tim Wilson, Site Editor, Dark Reading