Some interesting results:
And that's with most respondents understanding security policies and having been given training about the importance of following security practices.53% of respondents feel they NEED to work around security policies to get their jobs done.
37% of respondents have stumbled into areas of the network to which they SHOULDN'T have access.
50% of U.S. respondents switched roles and still had access to UNNECESSARY accounts/resources.
The last time I wrote about an RSA survey pointing out that employees feel they NEED to work around security controls to get their jobs done, the number was at 35%. So, it's either gotten worse or it varies from crowd to crowd (likely the latter).
Get the full survey report here
2 comments:
It definitely varies from crowd to crowd, and I'd wager a guess that many people don't even realize they are working around security policy to get their jobs done. Either they've intuitively figured out a way around DLP restrictions, or the enforcement mechanisms aren't working properly.
Regardless, data loss is largely a human problem, and pointing fingers at software failures is a good way to end up in a wild-goose-chase of symptoms without ever addressing the real issue.
A friend of mine, Michael Santarcangelo, II recently wrote a short and insightful book called Into The Breach: Protect your business by managing people, information and risk. I got a few preview copies (and will soon get a re-distributable e-book version). I'd be more than happy to send you a copy. It's a good read, even if you don't agree with the strategy that Michael presents.
Thanks for the comment ax0n! I agree that many policy breaches happen without people even knowing that they're doing something wrong. Let me know about the book - I'd like to take a look.
Post a Comment