Advertisement
Promo

Security threats Toolkit

Data Breaches

Don't blame 'stupid users' for data breaches

Andrew Donoghue ZDNet.co.uk

Published: 02 Apr 2008 14:30 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Security breaches that can be traced back to the actions of one individual are not the fault of one "stupid" employee but rather a failure to educate and engage the whole workforce around the importance of good security practice, according to a leading academic.

Speaking at the Cyber Warfare 2008 event in London this week, Debi Ashenden, senior research fellow at the Defence College of Management and Technology at Cranfield University, said most companies overlook the importance of employee behaviour when it comes to securing their IT and information systems.

"Lots of organisations claim to have a culture of information security but in most cases I would say that this is not true and unfounded," she told an audience made of military and civilian IT security specialists. "We need to get end users on side. We can't ignore them anymore. We need to move away from command and control and interact with them."

IT security managers do not like the idea of empowering the end users and would prefer to be able to "lock them down" in the same way employees' PCs can be locked down, said Ashenden

Ashenden's speech made reference to several recent high-profile security breaches, including the exposure of 25 million individual's records by HM Revenue & Customs (HMRC) in November last year, and the loss of an MoD laptop containing the records of some 600,000 defence personnel.

Ashenden claimed that although breaches such as HMRC had led to a new focus on IT security, based around improving processes and technology, the incidents were down to human factors. "We need to find a way to make people streetwise and question core beliefs so they question this kind of behaviour before it's carried out," she said.

Read this

Feature
Special report: The top five internal security threats

What should an employer watch out for?

Read more +

A survey from PriceWaterhouseCoopers (PwC) released this week appears to back up Ashenden's assertions. The results show the proportion of companies that have an information security policy has quadrupled over the last eight years.

However, one of the report's authors, PwC's Chris Potter, said having a security policy alone does not magically improve security awareness among staff. "What companies are realising is that increasing security awareness is only part of the answer. The critical issue is changing the behaviour of their people."

There has been a spate of high-profile security breaches dating back to mid-2007, which has led the government watchdogs to demand action be taken against organisations and individuals who fail to safeguard data and information. In a document submitted to government in January this year, information commissioner Richard Thomas called for the Data Protection Act (DPA) to be amended to include a penalty for data controllers "knowingly or recklessly failing to comply with the principles" of the DPA.

Ashenden claimed there has to be a fundamental shift in the behaviour of senior IT security professionals towards end users and the importance of understanding social interaction within companies.

"Most information security managers didn't come into the profession to get involved in cultural change and to talk to end users. They came in because they have an interest in technology," she said. "But we have to measure values, attitudes and perceptions of end users and aggregate the information to craft cultural change."

In response to those IS professionals who suggested there are no hard quantitative approaches to the analysis of attitudes and behaviour of employees, Ashenden claimed there are recognised ways to tackle this kind of analysis of end-user behaviour that are already used in social-science disciplines.

Responding to a question about the failure of software makers to build user-friendly security systems, Ashenden agreed that approaches such as pop-up warnings in operating systems were ineffective, as users eventually become conditioned to ignore them. She also referenced a quote that claims hackers often pay more attention to the human link in the security chain than security designers do.

The PwC survey is part of the 2008 Information Security Breaches Survey created on behalf of the Department for Business, Enterprise and Regulatory Reform. The final report will be launched in London at the Infosecurity show on 22-24 April.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON
Data Breaches

Did you find this article useful?
5 out of 5 people found this useful


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

4 comments

  1. There is no tech silver bullett andrewdonoghue
  2. Response Zeebs
  3. the Weakest link is ? ben channell
  4. Cont... Zeebs

Related Links

More in this Special Report

The top five internal security threats

The top five internal security threats

It's widely known that internal staff are the biggest threat to IT security, but what specifically should an employer watch out for? more

Keeping mobile data from going walkabout

Keeping mobile data from going walkabout

Mobile email is no longer the preserve of upper management but providing access to company information on the go has its risks more

Lib Dems call for data guardians

Lib Dems call for data guardians

The Liberal Democrats are seeking the introduction of data guardians into the public and private sector, to protect citizens' information rights more

Worker suspended over loss of prisoner data

Worker suspended over loss of prisoner data

An employee at Home Office contractor PA Consulting has been suspended after the loss of a memory stick holding the unencrypted details of every prisoner in England and Wales more

Ministry of Justice reports nine data breaches

Ministry of Justice reports nine data breaches

The ministry reported the data breaches, affecting around 45,000 people, to the Information Commissioner's Office in the last financial year more

Foreign Office reports five data breaches since 2007

Foreign Office reports five data breaches since 2007

The data breaches at the Foreign and Commonwealth Office are thought to have affected less than 188 people in total more

ICO: Gov't ignoring data-sharing hazards

ICO: Gov't ignoring data-sharing hazards

The government is blindly pursuing data-sharing plans without heeding the potential pitfalls, information commissioner Richard Thomas has claimed more

Lords presses government for data-breach law

Lords presses government for data-breach law

The House of Lords has again urged the government to introduce a data-breach notification law, adding that banks should be liable for e-fraud losses more

Video: Get the most out of your data

Video: Get the most out of your data

How do companies deal with information management? Jonathan Steel, CEO of tech-research firm The Bathwick Group, gives insights based on a recent ZDNet.co.uk benchmark survey more

Justice minister urges overhaul of gov't data handling

Justice minister urges overhaul of gov't data handling

Michael Wills has called for the government to handle data transactions as carefully as financial transactions more

MoD announces data-protection action plan

MoD announces data-protection action plan

The ministry has published a plan of how it intends to meet 51 data-policy recommendations made as part of review into the loss of MoD laptops more

Systemic failure blamed for HMRC data loss

Systemic failure blamed for HMRC data loss

Two reports have found the loss by HMRC of 25 million child-benefit claimant details was 'entirely avoidable' more

Featured Oracle Resources

Human Resources Management eBook

Supply Chain Management eBook

Design and Innovation Report

Economist Intelligence Unit Report - Technology and growth at mid-sized companies

See All White Papers

Company/Topic Alerts

Create a new alert from the list below:





Related Jobs

Training Needs Analysis Consultant

Helpdesk Analyst

Acceptance/Release Manager - North West Cheshire

Related BlackBerry Resources

Human Resources Management eBook

Supply Chain Management eBook

Design and Innovation Report

Economist Intelligence Unit Report - Technology and growth at mid-sized companies

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

homer

lets show everyone that labour has compasion[whilst there counting the votes] running upto march/april 2010...http://tinyurl.co...nus very good nb gordon brown said today on our... More

Post a comment

This Crap Site

How utterly stupid - I am ranked #40 in the top 100 - as a member of this site..... I mean HOW utterly stupid.... I have done sweet FA, I have only rejoined this site after a 3 or... More

Post a comment

Microsoft Security Update: November Pa...

Apologies for this late update to our core Patch Tuesday update. Here is a summary of the update .... The November Patch Tuesday update from Microsoft follows the largest patch and... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters