Security Pros Bleakly Assess Federal ITUsers Bypass Security Measures, Say They're Burdensome
IT security experts I interviewed on federal preparedness - or lack thereof - for securely restoring IT systems when the partial government shutdown ends say that security was lacking before the shutdown (see IT Seen As Vulnerable When Shutdown Ends).
For example, Bruce Brody, the onetime chief information security officer at the Energy and Veterans Affairs departments, put it this way: "Let's not presuppose that these systems were entirely shipshape before the shutdown."
More security rules, more security tasks, and more security delays have done little to drive more user buy-in for cybersecurity.
A new survey of 100 federal IT and IT security managers and specialists shows they generally concur with that assessment.
More than two-thirds of them say their agencies are ill-prepared to defend against advanced malware, distributed-denial-of-service attacks, hackers, international cyber-attacks and employees leaking secure information. And most say the agencies aren't ready to deploy secure cloud computing environments and provide safe access to mobile devices. That's not all. More than half say their agencies can't properly prevent data loss and data theft.
The study - Cybersecurity Experience: Security Pros from Mars; Users from Mercury - is based on an August online survey that also queried 100 federal government IT end-users. The survey, commissioned by MeriTalk, a public-private partnership aimed at improving government IT, was underwritten by the Internet content delivery network Akamai Technologies.
The Enemy Is Us
Among the more astounding results: Half of those charged with safeguarding their agencies' IT systems say they witness a violation of their agency's security policies at least once a week. Why so? Lack of user compliance. As Walt Kelly's comic-strip protagonist Pogo once uttered, "We have met the enemy and he is us."
Government IT users cite the burdensome, time-consuming and obstructive nature - in their view - of IT security measures as hampering their ability to get their jobs done. Nearly 70 percent of users say at least some portion of their work takes them longer than it should because of security measures. That's why one in three users surveyed say they employ some type of security workaround at least once a week.
That presents cybersecurity specialists with the problem of toughening security while making it user friendly.
"More security rules, more security tasks and more security delays have done little to drive more user buy-in for cybersecurity," says Tom Ruff, a vice president at Akamai. "Without question, federal cybersecurity pros have a tough job, but they must start working with end users as partners instead of adversaries. It is a team game, and better support for users will deliver better results for security."
Frustrations Lead to Increased Risk
What troubles users the most? Frequent passwords updates, too many passwords that are difficult to track, security software that slows processing time and limited remote access. Such frustrations, the study's authors contend, lead to increased risk.
A major disconnect between IT security managers and end-users is their perceptions of that risk. End-users offer a far more upbeat assessment than IT security managers of their agencies' preparations for dealing with the risks posed by international cyber-attacks, hackers, data loss, personal software uploads and malware. This disconnect on risk exasperates IT security managers, with more than one-third saying low user compliance is their biggest frustration.
The term awareness is becoming a clichÃ©. But its overuse is understandable because cybersecurity specialists must do a better job communicating to users the risks posed by their lack of healthy online hygiene. Still, you can't blame the users. All they want to do is get the job done, and too often security gets in the way.