Security systems are supposed to protect employees as much as corporate data, but more often than not, employees break the rules when they stand between them and doing their job.
According to a poll of 250 IT security pros conducted at RSA's 2013 conference, employees often ignore the security rules set down by IT, and in many cases go around them. (Full disclosure: Lieberman Software, which sells software security products, conducted the survey.)
81.4% of respondents think employees tend to ignore the security rules IT departments put in place
75.8% think that employees have access to information that they don't necessarily need to perform their jobs
73.3% wouldn't bet $100 that their company won't suffer a data breach in the next six months
52.2% believe nothing would change even if the security directives came from executive management
One would think that in this economy, people wouldn't do anything to jeopardize their job, but there is no risk, according to Phil Lieberman, president and founder of Lieberman Software. "The reason for this attitude is that there is no personal consequence. This behavior is reinforced by years of neglect by management as well as work rules and precedent that protect employees from consequence since all risk is borne by the employer. Both state and federal laws provide no responsibility to employees."
We're not just talking about logging on to Facebook during working hours, we're talking core IT security practices being ignored, like failing to secure important data and allowing people to have access who should not.
One shining example Lieberman points to is RSA itself. In March 2011, RSA's SecurID server was compromised and the seeds to every RSA token were stolen. A few months later, major defense contractors such as Lockheed Martin and L-3 were attacked using the information stolen from the SecureID vault. The full scope of the breach has never been determined.
Lieberman said RSA President Tom Heiser had been told not to connect the seed server to the greater RSA network, and to keep it isolated and physically separated from the rest of the servers. Instead, Heiser connected it to the RSA network to save money and be more efficient. RSA computers were then compromised by a phishing attack that exploited vulnerabilities in Microsoft Excel and Adobe Flash.
"Did he lose his job? No. Did they have a chief security officer? No. They hired one afterwards. Nobody got fired, in fact, somebody got a new job," said Lieberman.
Security as an obstacle to work
The RSA situation reflects a common reason why people circumvent IT security. They are primarily interested in getting a job done, and if they have to go around security procedures or systems, they will. In the case of RSA, it wanted to simplify and speed up distribution of SecureID seeds.