Users bypass security to get their jobs done

By Ron Condon, UK bureau chief 03 Apr 2008 | SearchSecurity.co.uk

Digg This!     StumbleUpon     Del.icio.us

According to new research from IT Governance, a consultancy, two-thirds of employees find a way around security controls, not with any malicious intent, but merely to do their jobs properly.

More on the Data Protection Act Data Protection Act guidelines Guarded welcome to proposed data leakage laws Lord Erroll favours criminalising poor security

"The problem is that companies tend to pass data protection to the IT department to look after," said Alan Calder, chief executive at security consultancy, IT Governance. "The IT department knows it's their head on the block if anything goes wrong, so they focus on protecting confidentiality of information based on their interpretation of what they think the law is." By locking the information down too tightly, the IT department forces users to find ways around the system.

Calder said he had seen many examples of this happening. For instance, hospice nurses had been forced to print off patient records because their network was unreliable and because restrictions on access meant they could not get to information as quickly as they needed.

In another case, payroll staff were not officially allowed to work from home on their personal machines because the link was not considered secure enough. So they copied files on to USB sticks and took the information home to work on.

"In some circumstances, the USB stick was lost, and was usually unencrypted," Calder said. "Sometimes the home workstation had a nice collection of Trojans and other malware that the user brought back in and infected the corporate system."

He said company boards needed to take a closer interest in data protection and information security, rather than leaving it to the IT department. "Management has to decide on the balance between providing information to people who need it, and the type of restrictions that are necessary to protect it. It means there has to be an intelligent conversation with the people who work with the data."

Those conversations might end up recommending technical solutions, such as whole-disk encryption for laptops or secure access for remote users, but Calder said the answer was to "just think through what the staff members really need to do their jobs, and give it to them."

The survey of 130 technology and compliance professionals took place in February, and the full findings will be published in May by IT Governance. (www.itgovernance.co.uk)

Tags: Data Protection Solutions and Strategy,  Compliance Regulation and Standard Requirements,  IT Security Frameworks and Standards,  Security Policies and User Awareness,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy In any given app for smartphone, security risks are being neglected First of data loss prevention vendors touts downloadable DLP software Ministry of Justice asks for input on UK privacy laws PCI PTS: Understanding PCI PIN security requirements IBM to acquire BigFix for configuration, vulnerability management Survey: SMB security increasing for better cybercrime protection PCI call centre: Understanding PCI DSS call recording requirements NuBridges update enables simultaneous data center tokenisation Prevent data leakage with secure media reuse policies PCI-compliant POS: Retail chain nears PCI compliance in the UK Compliance Regulation and Standard Requirements PCI compliance UK: The future of European merchant PCI compliance ISO 27001 SoA: Creating an information security policy document Ministry of Justice asks for input on UK privacy laws Exclusive PCI DSS news: EU regional director rallies UK merchants PCI PTS: Understanding PCI PIN security requirements PCI call centre: Understanding PCI DSS call recording requirements NuBridges update enables simultaneous data center tokenisation PCI-compliant POS: Retail chain nears PCI compliance in the UK SSC announces PCI-certified internal auditor course for PCI assessment Varied QSA assessment quality causes PCI compliance issues IT Security Frameworks and Standards PCI compliance UK: The future of European merchant PCI compliance ISO 27001 SoA: Creating an information security policy document Panel advocates need for cloud computing data security standard Exclusive PCI DSS news: EU regional director rallies UK merchants Jericho Forum: Self-assessment guide How to develop a culture of security in the enterprise ICO issues draft guidelines for personal information online Using ICO privacy impact assessment template for DPA compliance How to write an information security policy The elements of a compliance-oriented architecture

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Data Protection Act 1998  (SearchStorageUK.com) Information Commissioner's Office (ICO)  (SearchStorageUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary