82% of data breaches due to staff errors; 4% of IT trusts users; IT is still to blame
You can't blame end users for not doing what you haven't taught them to do
Here are two timely items that seem to go together:
The first item is based on preliminary results from an annual survey from PricewaterhouseCoopers (PwC) designed to identify characteristics major data breaches have in common.
Its big revelation in the 2012 edition is that mobile computing devices – primarily smartphones and iPads – act as much like cracks through which secure data can leak as they do portals that give employees constant access to the office.
The lines between employees' work and personal life have blurred into almost nonexistence, forcing most companies to allow access to formerly secure systems through mobile devices they often don't own and can't control.
Seventy-five percent of the companies responding to PwC's survey allow employees to connect personal devices to the company network; 39 percent encrypt the data on those devices.
The "staff mistakes" that make up 82 percent of data breaches, according to PwC, are primarily from mobile devices that are lost or stolen with unprotected, proprietary data still on them. "Smartphones and tablet computers are often lost or stolen, with any data on them exposed. Mobile devices can drill straight through your security defences, if you're not careful," according toPwC analyst Chris Potter, who misspells defenses when he speaks because he's British.
The second item seems to follow logically from the first: end users are bad, sloppy and often criminally negligent (not to mention stoooopid noobs), so IT people are foolish to trust them, according to a survey conducted last month by security vendor Sophos.
A quarter of security wonks reported fixing at least one security problem a day; 26 percent said the worst offenses came from senior managers. Only 4 percent said they trust their users with data or security.
Is it the end-users' fault they're so clueless?
Contradicting the knee-jerk self-righteousness that develops in experienced IT people is the PwC survey's finding that only 38 percent of large companies offer any security awareness programs; 54 percent of small organizations have similar programs.
Only one organization in seven that claimed to put a high priority on security even had a written security policy, let alone a training program.
Even at those high-security organizations, only a third of the staff understood the security policies.
So…whose fault is it?
Both. Users don't pay attention to geeks because security talk is a downer, IT people condescend and patronize comparatively non-technical colleagues and have little or no incentive in their performance-review goals, bonus structures or other reward systems for educating end users rather than scoffing at them.
IT people don't respect end users because…well, this is the Internet. There's not enough space to write all the reasons IT people don't respect end users and the kind of language that would be needed for an accurate description just isn't tolerated.
Sophos did something useful with its survey; it linked the pathetic snapshot of the attitudes of IT security people with a toolkit designed to jump-start employee IT-security training programs. It also contains a few horror stories from the IT people whose experiences contributed to the info in the kit. together.
The toolkit (direct download here) includes sample employee handbook, 10 tips for better security and better passwords, educational videos and documents to educate users and encourage them to buy in to the idea of security as a benefit rather than a chore.
Good luck on that last one. But on the other hand, good luck (seriously) on the rest of the items as well.
You can't blame users for not doing what you want if you don't explain it in the first place, and can't blame them much if you don't show them why a few precautions can benefit them, not just make some dour security diktator happy.
Oh, and while you're at it, buy something that will let you encrypt the data all those users are downloading to iPhones they'll be leaving on a plane or train sometime in the near future, hmmm?
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.