Employee Apathy and Overconfidence Threatens Security of Public Sector Organizations
One-third of Government worker respondents to a Dtex study believe they are more likely to be struck by lightning than have their organizations' data compromised.
The report, “Uncovering the Gaps: Security Perceptions and Behaviors of Today’s Government Employees,” reveals a consistent pattern of negligence and disinterest in developing positive security habits as well as significant gaps in threat awareness and risk identification.
Against a backdrop of growing concerns of large-scale cyber attacks and a recent wave of high-profile breaches linked to insider threats, the data indicates a prevalence of risky and careless behavior among government employees surveyed. In aggregate, the results also signal a broad expectation among these employees that their organizations should – and will – assume the primary responsibility of protecting sensitive work data and devices.
Some of the most findings in the report are:
- A tendency to deflect or shift personal responsibility when it comes to security. Almost half (48 percent) of the government employees surveyed think responsibility for securing organizational data and devices falls squarely on IT professionals, senior leadership and colleagues, with only 13 percent putting the onus on themselves as individuals.
- An inclination to gravitate to one of two extremes – apathy or overconfidence. More than half of respondents (53 percent) believe that no matter what proactive measures they take, a hacker will find their way in. On the other side of the spectrum, 30 percent think they are more likely to be struck by lightning than have their organizations’ data compromised.
- A desensitization to the high probability and potential dangers of data compromise. When looking at what government employees fear most, only 14 percent report being afraid of someone infiltrating their organization and stealing files, trailing far behind potential scenarios such as a government collapse or food poisoning, and ranking it just three percentage points higher than alien invasion.
“We’re all – as individuals, as organizations, and as a country - facing near-constant security attacks, whether from trusted insiders, malicious cyber criminals or nation-state actors,” said Christy Wyatt, CEO at Dtex Systems. “With the increasing regularity and broad scope of insider-related incidents and breaches, it has become critical that public sector organizations improve security protocols and double down on intelligence-based, user-centric technology investments. The ability to both monitor and develop a contextual understanding of user behavior in real time is critical – not just in detecting and mitigating insider threats, but in this case, ensuring the continued safety of our nation.”
Filling the Organizational Security Gaps: From Awareness to Action
Gaps in knowledge versus engagement: The prevailing attitudes of overconfidence and apathy may be to blame for what is a notable discrepancy among survey respondents in understanding what responsible security behavior looks like and actually engaging in that behavior. For example, an overwhelming percentage of respondents perceive responsible security habits such as using an encrypted file system or reporting a colleague’s risky behaviors as important (90 and 86 percent respectively.) But fewer than one in three reported having done either in the last 60 days.
Gaps in risk perception and identification: While there’s a demonstrable grasp on what constitutes a positive security habit, the data reveals a second gap – this one, educational – when it comes to identifying and avoiding what should typically be deemed irresponsible or risky behavior. Of the government employees surveyed, only one in three (31 percent) believe that accessing company files or a work email account on their personal devices poses a security risk – and less than half see emailing confidential data or bypassing security protocols as potentially dangerous activities.
“Insider threats are plaguing the nation’s government organizations, no matter their size or focus – from the White House to political campaigns to local department offices,” said Jeff Miller, Director of US Public Sector at Dtex. “Each government employee has the potential to create a vulnerability with a single decision or action. And when they fail to recognize their role as ‘insiders,’ the risk to the organization increases exponentially as a result. With complete visibility into user behavior, it’s possible to spot the inconsistencies that equate to potential risks, improve employee education by identifying teachable moments, and ultimately, minimize the chances of a catastrophic cyber attack.”
Gaps in insider threat education and understanding: A large portion of government employees with security clearance seem to grasp the significance of insider threats, with 42 percent noting that they themselves pose the greatest risk to the security of their organization. However, nearly the same number (40 percent) – less than half – were able to correctly identify “insider threat” as an IT term, with the remaining 60 percent incorrectly reporting it to be a military, financial, sports, engineering or medical term.
At the same time, more than three-quarters of respondents (77 percent) are confident that their organization has an educational program about insider threats. But the demonstrated lack of a basic understanding of insider threats, compounded by negligent and risky behaviors, indicates a significant need for continued and improved education across the public sector, from the federal government to small local agencies.