Half of All Federal Agency Security Breaches Caused by Lack of User Compliance

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cnbc.com/id/101112716

MeriTalk, a public-private partnership focused on improving the outcomes of
government IT, today announced the results of its new report, “Cyber
Security Experience: Cyber Security Pros from Mars; Users from Mercury.”
The study, underwritten by Akamai Technologies, Inc., compares what cyber
security professionals report about their agency’s security with what end
users – Federal workers – actually experience. According to the report,
agencies often fail to take the user experience into account when deploying
cyber security solutions. As a direct result, end users often circumvent
security measures and open their agencies up to data theft, data loss, and
denial-of-service attacks.

Federal agencies regularly battle very real cyber threats including
international cyber attacks, denial-of-service attacks, hackers, and data
theft. However, few Federal cyber security professionals feel completely
prepared for these threats – 74 percent say they are not prepared for an
international cyber attack, 74 percent say they are not prepared to support
secure access for mobile devices, 70 percent are not prepared for a
denial-of-service attack, and 70 percent are not prepared to secure cloud
computing environments. Prepared or not, these cyber attacks show no signs
of slowing – half of cyber security professionals say their agency is
likely to be the victim of a denial-of-service attack in the next 12 months.

As a result of the numerous cyber threats, cyber security professionals are
focused on keeping data secure but fail to prioritize the user experience.
Seventy-four percent of cyber security professionals say their top priority
is preventing data theft followed by ensuring a thorough web security
strategy (56 percent), maintaining and upgrading security systems (55
percent), deploying the most up-to-date cyber security protocols (54
percent), and mitigating denial-of-service attacks (53 percent). Ensuring a
user-friendly experience across all security applications comes in last on
cyber security professionals’ list of priorities with only 40 percent
reporting it as a top concern.

As security measures become less user friendly, they also become less
effective. Cyber security professionals estimate that almost half (49
percent) of all agency security breaches are caused by a lack of user
compliance. These breaches are frequent with half of cyber security
professionals reporting they witness a breach in their agency’s security
policies at least once a week. According to cyber security professionals,
the most challenging end user applications to secure are email, external
websites, and the internet from agency work stations. These are the same
tools that more than 80 percent of end users rely on daily.

Not only do end users experience challenges with the applications they use
daily, many of the activities they must perform as part of their daily work
also cause frustration. The activities that cyber security professionals
say are the most likely to cause a security breach are the same activities
where end users run into the most frustrating security measures. The top
areas for cyber security professionals’ concern and end users’ frustration
are surfing the internet, downloading files, accessing networks, and
transferring files.

“More security rules, more security tasks, and more security delays have
done little to drive more user buy-in for cyber security,” said Tom Ruff,
vice president public sector, Akamai. “Without question, Federal cyber
security pros have a tough job, but they must start working with end users
as partners instead of adversaries. It is a team game, and better support
for users will deliver better results for security.”

End users say cyber security measures hinder their productivity and as a
result admit to breaking protocol. Sixty-six percent of end users believe
the security protocols at their agency are burdensome and time-consuming.
Sixty-nine percent say at least some portion of their work takes longer
than it should due to security measures. Nearly one in five end users can
recall an instance where they were unable to complete a work assignment on
time because of a security measure. As a result, 31 percent of end users
say they use some kind of security work around at least once a week.

Despite frustrations, end users and cyber security professionals agree that
cyber security should be a top priority for Federal agencies. Ninety-five
percent of cyber security professionals and end users agree that the
deployment of cyber security measures is an absolute necessity to protect
agencies from cyber threats such as data loss, data theft, and
denial-of-service attacks. Almost all (98 percent) say keeping agency
networks and data secure is everyone’s responsibility.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.