Study Finds Security Policy Adherence Problems

A Cisco-commissioned study found that employees at businesses in 10 countries around the world are often unaware of their companies’ security polices, or the employees ignore the policies because they hinder productivity.  When surveyed about whether their companies had security policies, there was a 20 to 30 percent gap between responses from IT professionals and other employees.  When asked why security policies are violated, IT professionals pointed to ignorance, while other employees said it was because the policies made it more difficult for them to do their jobs.  The study surveyed more than 2,000 employees and IT professionals at companies in the US, the UK, France, Germany, Italy, Japan, China, India, Australia and Brazil.

Unfortunately I have seen the same thing in every orginization I have ever worked in.  Another unfortunate fact is that no real solution exists to this problem.  Most orginizations will do a security awareness program that consists of InfoSec trying to convey the inportance of this information without putting everyone to sleep, and the standard “signing of the security policy every year”.

Neither of these work, but they are better than nothing.

Does anyone else have any unique or effective methods they have used?

Massive World Bank Comprimise

FoxNews (not one of my normal news sites… I promise) just posted a story entitled “World Bank Under Cyber Siege in ‘Unprecedented Crisis’“.

The details are fairly chilling and include some amazingly upbeat quotes like…

“While it remains unclear how much data has been pilfered from the bank, it’s a lot. According to internal memos, “a minimum of 18 servers have been compromised,” including some of the bank’s most sensitive systems — ranging from the bank’s security and password server to a Human Resources server “that contains scanned images of staff documents.””

And…

“The World Bank Group’s computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned.”

This is certainly disturbing news for a number of reasons.  Most importantly the fact that the worlds financial system is serious peril and this…

In a frantic midnight e-mail to colleagues, the bank’s senior technology manager referred to the situation as an “unprecedented crisis.” In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public.

The italicised text is what I find very disturbing.  GLB, SOX and a slew of other laws all have strict disclosure guidelines.  Trying to hide something of this magnitude is not only futile but also illegal.