This week, Dtex Systems released a new report, "Uncovering the Gaps: Security Perceptions and Behaviors of Today’s Government Employees," looking at government workers and organizational security.
The study is based on responses from more than 1,000 public and private sector employees who are based in the US and are thought to be some of the most security conscious in government since they have security clearance across either federal, state or local levels.
However, the results demonstrate that there is a widespread expectation among respondents that it is the organization that assumes the responsibility of protecting sensitive work data and devices.
The study shows that there is a definite disconnect among respondents when it comes to tying their individual behaviors -- no matter if they are responsible or risky -- to any effects on overall organizational security.
Indeed, only 13% of respondents believe that they have complete personal responsibility for the security of their work devices or information. Another 48% told researchers that they have no responsibility for it at all.
This may be rooted in a strong belief in their organization's ability to serve as a data protector. But one in three -- 29% -- of the employees believe that they are more likely to be struck by lightning than have their work data compromised.
In fact, they fear file theft only slightly more than public speaking or alien invasion.
The survey also found that only half -- 52% -- of these employees believe that IT security is everyone's responsibility, or their own personal responsibility. The responsibilities were deflected elsewhere. About 48% believed that the responsibility for IT security fell on someone else in the organization, such as senior leadership (10%), colleagues (8%), or the IT team (30%).
These employees may assume that they are protected against potential consequences of their individual behaviors by organizational security.
The study also showed a gap in respondents engaging in secure practices.
While 90% of government employees perceive using an encrypted file system as an important security practice, only one in three reported using one in the previous two months. Similarly, of the 92% who noted that updating anti-virus software is critical, a only half -- 46% -- actually did so in the same time period.
Reporting on a co-worker's risky behavior showed the same gap. While 86% of respondents accepted its importance, only 15% had done so in the last 60 days. Indeed, only 43% of those surveyed had ever reported such behavior at any time.
This has great relevance when the idea of an insider threat is considered. About 42% of those surveyed were found to believe that insider threats will pose the greatest risk to the security of their organization. However, only about the same number were able to correctly identify "insider threat" as an IT term -- not very reassuring.
The report shows that government employees remain a significant risk to the organization because of their belief in the security of the organization itself. Education may help to disabuse some of these notions, but they seem pervasive enough to be a continuing security threat.
Related posts:
- DHS Has Some Serious Security Failures, Report Finds
- US Government Leads World in Data Breaches
- The Hard Work of Pointing Fingers
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.