Security meets the enemy, and it's the users
It is no shock to learn that end users and IT security people often do not see eye to eye. If the security shop had its way, everything would be locked down, and there would be no end users. Users see security as an impediment to doing their jobs. And a recent survey indicates that the divide between users and defenders could be undermining federal cybersecurity.
The survey — of 100 federal security professionals and 100 end users in agencies — was conducted by MeriTalk in August and contains a few telling data points:
- 31 percent of end users admit to regularly circumventing what they see as unreasonable security restrictions.
- Security people estimate that 49 percent of agency breaches are caused primarily by a lack of user compliance.
- User frustration equals security risks. The greatest pain points for users — Web surfing and downloading files — produce the most agency breaches.
The sample size isn’t large, but the survey claims a margin of error of less than 10 percent and a 95 percent level of confidence.
The results are not surprising, said Tom Ruff, public sector vice president at Akamai Technologies, which commissioned the study. It confirms a disconnect that has long existed. Ensuring a user-friendly experience ranked last among the priorities of security professionals, and that probably is as it should be, Ruff said. “At the end of the day the cyber team has got to protect the agency’s mission. That’s job one.”
But with 50 percent of the threat coming from insiders, either intentionally or accidentally, bridging the gap between users and defenders is becoming more important to the security of government networks and systems.
This is not a new idea. Government cybersecurity policy has been moving toward a closer integration of security with IT operations in an effort to provide better real-time visibility into the activity and status of systems. This is, in part, what the focus on continuous monitoring is all about. But the integration also could help move the security shop closer to the users, giving it a better view of just what it is the users are trying to do, what their pain points are and why they are responsible for so many breaches.
It is not a one-way street, of course. The users are going to have to learn to accommodate security when necessary. Just because something can be done doesn’t mean that it should be, and some inconveniences are legitimate trade-offs for improved security.
Awareness training is supposed to be a part of agency cybersecurity programs, and lack of awareness does not seem to be the root of the problem. According to the MeriTalk/Akamai survey, 95 percent of users believe that cybersecurity is an absolute necessity. As long as users understand the reason for a specific policy or process, they probably will accept it.
“The more transparent the security policy is, the easier it will be to address the divide,” Ruff said.
Bridging the divide at a time when challenges are growing faster than budgets and everyone is struggling to make ends meet is not easy. But if agencies can find time to focus on this challenge it could be a cost-effective way to help improve security.
Posted by William Jackson on Oct 25, 2013 at 1:22 PM