Data breaches: Don't blame 'stupid' employees

Security breaches that can be traced back to the actions of one individual are not the fault of one "stupid" employee but rather a failure to educate and engage the whole workforce around the importance of good security practice, according to a leading academic.

Speaking at the Cyber Warfare 2008 event in London this week, Debi Ashenden, senior research fellow at the Defence College of Management and Technology at Cranfield University, said most companies overlook the importance of employee behaviour when it comes to securing their IT and information systems.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

Ashenden said to an audience of military and civilian IT security specialists: "Lots of organisations claim to have a culture of information security but in most cases I would say that this is not true and unfounded. We need to get end users on side. We can't ignore them anymore. We need to move away from command and control and interact with them."

IT security managers do not like the idea of empowering the end users and would prefer to be able to "lock them down" in the same way employees' PCs can be locked down, said Ashenden

Ashenden's speech made reference to several recent high-profile security breaches, including the exposure of 25 million individual's records by HM Revenue & Customs (HMRC) in November last year, and the loss of an MoD laptop containing the records of some 600,000 defence personnel.

Ashenden claimed that although breaches such as HMRC had led to a new focus on IT security, based around improving processes and technology, the incidents were down to human factors. "We need to find a way to make people streetwise and question core beliefs so they question this kind of behaviour before it's carried out," she said.

A survey from PriceWaterhouseCoopers (PwC) released this week appears to back up Ashenden's assertions. The results show the proportion of companies that have an information security policy has quadrupled over the last eight years.

However, one of the report's authors, PwC's Chris Potter, said having a security policy alone does not magically improve security awareness among staff. "What companies are realising is that increasing security awareness is only part of the answer. The critical issue is changing the behaviour of their people."

There has been a spate of high-profile security breaches dating back to mid-2007, which has led the government watchdogs to demand action be taken against organisations and individuals who fail to safeguard data and information. In a document submitted to government in January this year, information commissioner Richard Thomas called for the Data Protection Act (DPA) to be amended to include a penalty for data controllers "knowingly or recklessly failing to comply with the principles" of the DPA.

Ashenden claimed there has to be a fundamental shift in the behaviour of senior IT security professionals towards end users and the importance of understanding social interaction within companies.

She said: "Most information security managers didn't come into the profession to get involved in cultural change and to talk to end users. They came in because they have an interest in technology. But we have to measure values, attitudes and perceptions of end users and aggregate the information to craft cultural change."

In response to those IS professionals who suggested there are no hard quantitative approaches to the analysis of attitudes and behaviour of employees, Ashenden claimed there are recognised ways to tackle this kind of analysis of end-user behaviour that are already used in social-science disciplines.

Responding to a question about the failure of software makers to build user-friendly security systems, Ashenden agreed that approaches such as pop-up warnings in operating systems were ineffective, as users eventually become conditioned to ignore them. She also referenced a quote that claims hackers often pay more attention to the human link in the security chain than security designers do.

The PwC survey is part of the 2008 Information Security Breaches Survey created on behalf of the Department for Business, Enterprise and Regulatory Reform. The final report will be launched in London at the Infosecurity show on 22-24 April.

Original article: Don't blame 'stupid users' for data breaches from ZDNet UK