Now that the government is open for business again, federal employees will be back on their computers and the mobile devices they weren’t allowed to touch during the shutdown. This is the perfect time to discuss a new survey from MeriTalk and underwritten by Akamai Technologies, Inc.
This survey wins for the best-named survey: “Cyber Security Experience: Cyber Security Pros from Mars; Users from Mercury.” The report compares what cyber security professionals say about the security within federal agencies with what the end-user employees actually experience. The results show that cyber security is a two-way street; security professionals can’t simply lay down the cyberlaws without taking the user experience into account. If they do, the user will find ways to circumvent security. FWC.com explained:
[T]he study finds 31 percent of federal employee end-users use some form of security work-around at least weekly, and nearly 20 percent of feds have failed to complete a work assignment because of existing security measures. Feds reported being most frustrated by simple tasks like surfing the web and downloading files, the same two tasks that cybersecurity professionals said most frequently produced security breaches through external attacks like phishing and malware.
Bottom line, what the end user wants is user-friendly security measures, while the security professionals are focused on making sure the networks are protected. However, the study shows that the less user-friendly the security is, the less effective it is. This compliance breakdown results in more breaches and other security problems.
As Tom Ruff, vice president public sector, Akamai, stated in a release:
More security rules, more security tasks, and more security delays have done little to drive more user buy-in for cyber security. Without question, Federal cyber security pros have a tough job, but they must start working with end users as partners instead of adversaries. It is a team game, and better support for users will deliver better results for security.
I think this study is incredibly insightful. Perhaps employees are better educated about security concerns than we give them credit for, and the problem is that they don’t like how security makes their job harder. I don’t think that is an excuse for employees to skip over security. Rather, there should be dialogue between security professionals and end users when it comes to security practices. Network security is most effective when everyone works together.