Federal Security Breaches Traced to User Noncompliance

Are strong security protocols actually making the federal government less secure?

According to a new study by MeriTalk, federal cybersecurity professionals are so focused on implementing rigid policies to lock down data that they often ignore how those rules will impact end users within their agencies.

The result, perhaps predictably, is that many government workers resent the burden that security protocols impose, complaining that they are time-consuming and hinder productivity, while nearly a third say that they regularly use a workaround to circumvent the security roadblocks.

Respondents to the MeriTalk survey, which was underwritten by cloud provider Akamai, noted a direct correlation between onerous security policies and a lack of compliance. Small wonder then that security professionals said that nearly half — 49 percent — of federal security breaches can be attributed to end users not complying with the policies in place at their agencies.

“More security rules, more security tasks and more security delays have done little to drive more user buy-in for cybersecurity,” Tom Ruff, vice president of Akamai’s public sector division, said in a statement.

Security Is Important, but &.

For the survey, the government IT consortium MeriTalk polled 100 cybersecurity professionals within the government and another 100 non-cyber workers to arrive at a comparison between policies and the ways that they are put into practice.

It’s not that government workers don’t appreciate the importance of security. Ninety-five percent of respondents — cybersecurity workers and end users alike — agreed that maintaining strong security is critical to their agency’s operations, and 98 percent said that security is everyone’s responsibility.

So if the spirit of shared responsibility is there, the new report argues that cybersecurity professionals need to better attune themselves to the day-to-day challenges that agency workers face.

“Without question, federal cybersecurity pros have a tough job, but they must start working with end users as partners instead of adversaries. It is a team game, and better support for users will deliver better results for security,” Ruff said.

The increasing sophistication of cyber threats and the new IT initiatives agency CIOs are pursuing across the government add a sense of urgency to harmonizing security policies with end user behavior. For instance, 74 percent of the cybersecurity professionals polled said that they are unprepared for an international attack, and an equal number said they aren’t equipped to adequately secure access to mobile devices.

Then 70 percent said that they aren’t prepared to secure cloud environments, and 70 percent also said they aren’t ready to fend off a denial-of-service attack. At the same time, half of cybersecurity workers polled said that they anticipate that their agency will be the victim of a DoS attack in the coming year.

The severity of those challenges, along with the general feeling of unpreparedness, has impelled cybersecurity professionals to implement more rigid policies to lock down agency data and restrict access.

Seventy-four percent of security pros said that preventing data theft is a top priority, meaning that it merits a nine or 10 on a 10-point scale. More than half of respondents said that a secure Web strategy, maintaining and upgrading security systems, rolling out fresh cybersecurity protocols and mitigating DoS attacks were each similarly important. But just 40 percent named a user-friendly experience as a top priority.

That apparent imbalance has been a source of frustration within federal agencies. In the polling of end users, 66 percent described their agency’s security protocols as burdensome and time-consuming, and just a shade more said that it takes longer to complete certain tasks because of the security roadblocks.

Thirty-one percent of respondents said that they navigate around their agency’s security protocols at least once a week.

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow Kenneth on Twitter @kecorb. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.