Federal Security Breaches Traced to User Noncompliance

Are strong security protocols actually making the federal government less secure?

According to a new study by MeriTalk, federal cybersecurity professionals are so focused on implementing rigid policies to lock down data that they often ignore how those rules will impact end users within their agencies.

The result, perhaps predictably, is that many government workers resent the burden that security protocols impose, complaining that they are time-consuming and hinder productivity, while nearly a third say that they regularly use a workaround to circumvent the security roadblocks.

Respondents to the MeriTalk survey, which was underwritten by cloud provider Akamai, noted a direct correlation between onerous security policies and a lack of compliance. Small wonder then that security professionals said that nearly half -- 49 percent -- of federal security breaches can be attributed to end users not complying with the policies in place at their agencies.

"More security rules, more security tasks and more security delays have done little to drive more user buy-in for cybersecurity," Tom Ruff, vice president of Akamai's public sector division, said in a statement.

Security Is Important, but &.

It's not that government workers don't appreciate the importance of security. Ninety-five percent of respondents -- cybersecurity workers and end users alike -- agreed that maintaining strong security is critical to their agency's operations, and 98 percent said that security is everyone's responsibility.

So if the spirit of shared responsibility is there, the new report argues that cybersecurity professionals need to better attune themselves to the day-to-day challenges that agency workers face.

"Without question, federal cybersecurity pros have a tough job, but they must start working with end users as partners instead of adversaries. It is a team game, and better support for users will deliver better results for security," Ruff said.

The increasing sophistication of cyber threats and the new IT initiatives agency CIOs are pursuing across the government add a sense of urgency to harmonizing security policies with end user behavior. For instance, 74 percent of the cybersecurity professionals polled said that they are unprepared for an international attack, and an equal number said they aren't equipped to adequately secure access to mobile devices.

Then 70 percent said that they aren't prepared to secure cloud environments, and 70 percent also said they aren't ready to fend off a denial-of-service attack. At the same time, half of cybersecurity workers polled said that they anticipate that their agency will be the victim of a DoS attack in the coming year.

The severity of those challenges, along with the general feeling of unpreparedness, has impelled cybersecurity professionals to implement more rigid policies to lock down agency data and restrict access.

Seventy-four percent of security pros said that preventing data theft is a top priority, meaning that it merits a nine or 10 on a 10-point scale. More than half of respondents said that a secure Web strategy, maintaining and upgrading security systems, rolling out fresh cybersecurity protocols and mitigating DoS attacks were each similarly important. But just 40 percent named a user-friendly experience as a top priority.

That apparent imbalance has been a source of frustration within federal agencies. In the polling of end users, 66 percent described their agency's security protocols as burdensome and time-consuming, and just a shade more said that it takes longer to complete certain tasks because of the security roadblocks.

Thirty-one percent of respondents said that they navigate around their agency's security protocols at least once a week.

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow Kenneth on Twitter @kecorb. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.

Read more about security in CIO's Security Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurityTechnology Topics | SecurityFederal Security BreachessecurityMeriTalksecurity protocols making federal government less secureTechnology Topics

More about Akamai TechnologiesFacebookGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts