Security Pros to Users: Do as We Say, Not as We Do

IT pros — the gatekeepers of company security policies — are willing to bend the rules to get things done, according toAbsolute Software, based on survey findings it released last week.

Forty-five percent of IT pros confessed they knowingly worked around their own security policies, according to the survey.

Moreover, 33 percent admitted to hacking their own or another organization’s systems.

Gatekeepers Become Gatecrashers

In addition, of some 500 IT and security pros in the United States participating in the survey, 46 percent said employees represent the greatest security risk to their organizations.

“They view the employees of their organizations as a threat because employees view security as an impediment. They view IT as an impediment,” said Stephen Midgley, Absolute’s vice president for global marketing.

That attitude is espoused commonly in security circles, but what isn’t so commonly known is how many IT pros are willing to engage in behavior they condemn in others.

“What surprised us was that the gatekeepers of data security are often the gatecrashers when it comes to protecting data,” Midgley told TechNewsWorld.

“If IT professionals can’t be trusted to follow their own security policies, what hope is there for the rest of the employee base?” said Kunal Rupani, director of product management atAccellion.

“Unfortunately, there isn’t an easy fix given the fact that, in many cases, shortcuts are taken for purposes of convenience and productivity,” he told TechNewsWorld. “Employees will always look for quicker or more efficient ways to accomplish their daily tasks.”

Taking Shortcuts

That’s true of IT pros, too. “They choose the fastest path to get the job done,” said Tom Clare, vice president for marketing atGurucul.

“In the defense industry, you can spend up to an hour a day logging in and logging out with token authentication systems,” he told TechNewsWorld.

“If you’re in a high-pressure security or systems administrator’s job and you’re asked to do way too many things quickly, you’re going to try to smooth things out and take shortcuts,” Clare added.

There can be reasons other than cutting corners for security personnel to sidestep policies and hack into their own systems.

“There are times that require they access their network or systems pretending to be a hacker,” said Rick Kam, president ofID Experts.

Pen Testing

Security pros would have to hack their systems if they were doing penetration testing of their networks.

“A lot of organizations have antiquated infrastructure, so they may be trying to penetrate their own systems to look for faults and holes that they can patch,” Midgley explained.

“If there are vulnerabilities out there and there are holes in your security program somewhere, it’s best to find them yourself, as opposed to having them exploited by a third party,” said Rick Orloff, CSO ofCode42.

However, “at no point should anyone be hacking any system or service that they don’t own or control or have permission to hack,” he told TechNewsWorld.

Rules may have to be bent on other occasions, too.

“There may be other times in cases of emergency, such as when a network device or system goes down unexpectedly,” Kam told TechNewsWorld.

“Other than that,” he said, “IT management should ensure their IT professionals adhere to security protocols and procedures.”

Abuse of Power

Nevertheless, it’s not uncommon to find those with power in an organization creating security problems for it.

“Knowing what I do about the industry from the perspective of a security service provider, I can personally attest that IT and C-level people are likely to be the worst security nightmare for any company,” said Pierluigi Stella, CTO ofNetwork Box USA.

“C people think they’re invincible and are usually arrogantly impatient. They demand special treatment and expect it without delay,” he told TechNewsWorld.

“They fail to realize that they’re often the target of hackers looking to steal corporate bank accounts or other valuable information,” Stella said.

“Even worse is the situation with the IT people,” he added. “I guarantee you if there are no controls, they’ll abuse their power.”

Generation Gap

The Absolute survey also found a generational difference in attitudes toward security.

For example, among 18- to 44-year-olds, 41 percent were most likely to hack their own systems, compared with 12 percent for pros over 45.

Younger pros were also more optimistic about security. For instance, 92 percent of 18- to 44-year-olds were confident they could contain a data breach, compared with 79 percent of their older peers.

“It’s a digital native versus digital immigrant thing,” Absolute’s Midgley said.

“Younger people have grown up with technology,” he noted. “They are more adept as using technology. They look at technology in a different way than older people who have adopted technology during their career.”

Breach Diary

  • Feb. 15. Hacker known as ROR[RG] dumps 17.8 GB of data stolen from servers operated by Turkish police to the Internet.
  • Feb. 15. KTVT TV reports court records containing sensitive information about tens of thousands of Texans, including children, have been available for anyone to see on the Internet for more than a decade.
  • Feb. 15. Vidant Health announces it has discovered that an unknown number of employee records at its Duplin, North Carolina, hospital have been compromised by unauthorized access to them by an outside source.
  • Feb. 15. Magnolia Health in California reports sensitive information about all active employees was compromised when a spreadsheet containing the information was sent to a third party in response to a bogus email from the company’s CEO.
  • Feb. 15. Radiology Regional Center PA announces personal information of an undisclosed number of patients is at risk after its records disposal vendor released the records in Fort Myers, Florida, as they were in transit to be incinerated. After a foot search by center staff of the area in which the records were released, it’s believed virtually all the records were recovered.
  • Feb. 16. Kankakee Valley REMC in Indiana announces records for 17,700 members are at risk after an audit discovered a storage device on its network was accessed by a foreign IP address.
  • Feb. 16. The U.S. departments of Homeland Security and Justice issue guidelines and procedures required by the Cybersecurity Act of 2015 for providing federal agencies and the private sector with a clear understanding of how to share cyber threat indicators with DHS’s National Cybersecurity and Communications Integration Center and how the center will share and use that information.
  • Feb. 16. The California attorney general reports 49 million records containing personal information of the state’s residents were compromised in 657 data breaches from 2012 to 2015.
  • Feb. 17. Twitter announces it has fixed a bug in its password recovery system that potentially could expose the email addresses and phone numbers of some 10,000 users.
  • Feb. 17. University of Greenwich in the United Kingdom apologizes to hundreds of students after personal information about them was accidentally posted to the Internet.
  • Feb. 17. The Associated Press reports an investigation is under way after a data breach resulted in posting to the Internet sensitive information of 3,500 Florida law enforcement officials. The information was posted to a website created by a former Palm Beach County sheriff’s deputy who says he sold the site in 2012 to some friends in Russia.
  • Feb. 18. Hollywood Presbyterian Medical Center in California pays $17,000 for decryption key from hackers who scrambled the data on the hospital’s computer systems keeping them offline for more than a week.
  • Feb. 18. Washington State Department of Transportation reveals a former contract employee accessed without authorization the personal information of 500 customers of its Good To Go program and stole the credit card information of 13 of them.
  • Feb. 18. University of Mary Washington in Virginia reveals the personal information of 4,100 employees, students and alumni is at risk after an employee’s laptop was stolen in January.
  • Feb. 19. U.S. Justice Department files a motion with a federal magistrate judge in California to force Apple to decrypt data on iPhone of San Bernardino shooter Syed Rizwan Farook.

Upcoming Security Events

  • Feb. 28-29. B-Sides San Francisco. DNA Lounge, 375 11th St., San Francisco. Registration: $25.
  • Feb. 29-March 4. RSA USA 2016. The Moscone Center, 747 Howard St., San Francisco. Registration: until Feb. 26, $2,295; after Feb. 26, $2,595.
  • Feb. 29-March 4. HIMSS16. Sands Expo and Convention Center, Las Vegas. Registration: $1,165.
  • March 8. FFIEC & Anomaly Detection Done Right. Noon ET. Webinar sponsored by Praesidio. Free with registration.
  • March 10. FFIEC & Anomaly Detection Done Right. 2 p.m. ET. Webinar sponsored by Praesidio. Free with registration.
  • March 10-11. B-Sides SLC. Salt Palace Convention Center, 90 South West Temple, Salt Lake City. Registration: $65.
  • March 12-13. B-Sides Orlando. University of Central Florida, Main Campus, Orlando, Florida. Registration: $20; students, free.
  • March 14-15. Gartner Identity and Access Management Summit. London. Registration: 2,550 euros plus VAT; public sector, $1,950 plus VAT.
  • March 17-18. PHI Protection Network Conference. Sonesta Philadelphia, 1800 Market St., Philadelphia. Registration: $199.
  • March 24. Massachusetts Attorney General’s Office Forum on Data Privacy. Ray and Maria Stata Center, Kirsch Auditorium, Room 32-123, 32 Vassar St., Cambridge, Massachusetts. RSVP required.
  • March 29-30. SecureWorld Boston. Hynes Convention Center, Exhibit Hall D. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • March 31-April 1. B-Sides Austin. Wingate Round Rock, 1209 N. IH 35 North (Exit 253 at Hwy 79), Round Rock, Texas. Free.
  • April 8-10. inNOVAtion! Hackathon. Northern Virginia Community College, 2645 College Drive, Woodbridge, Virginia. Free with registration.
  • April 9. B-Sides Oklahoma. Hard Rock Cafe Casino, 777 West Cherokee St., Catoosa, Oklahoma. Free.
  • April 12. 3 Key Considerations for Securing your Data in the Cloud. 1 p.m. ET. BrightTalk webinar. Free with registration.
  • April 13. A Better Way To Securely Share Enterprise Apps Without Losing Performance. 11 a.m. ET. BrightTalk webinar. Free with registration.
  • April 15-16. B-Sides Canberra. ANU Union Conference Centre, Canberra, Australia. Fee: AU$50.
  • April 16. B-Sides Nashville. Lipscomb University, Nashville, Tennessee. Fee: $10.
  • April 20-21. SecureWorld Philadelphia. Sheraton Valley Forge Hotel, 480 N. Guelph Road, King of Prussia, Pennsylvania. Registration: conference Pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • May 4. SecureWorld Kansas City. Overland Park Convention Center, 6000 College Blvd., Overland Park, Kansas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open Sessions, $30.
  • May 11. SecureWorld Houston. Norris Conference Centre, 816 Town and Country Blvd., Houston, Texas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits & open Sessions, $30.
  • May 18-19. DCOI|INSS USA-Israel Cyber Security Summit. The Marvin Center, 800 21st St. NW, Washington, D.C. Hosted by George Washington University. Free.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
  • June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels