Don’t Blame “Stupid Users” for Data Breaches

If you’ve traced a security breach back to one individual employee, you shouldn’t be too quick to judge it the fault of the “stupid” user, according to a leading academic. The problem is far more likely a failure to educate and engage the whole workforce on good security practices.

In an article on the ZDNet website, Andrew Donoghue says Debi Ashenden, senior research fellow at the Defence College of Management and Technology at Cranfield University, told attendees at the Cyber Warfare 2008 event in London last week that most companies overlook the importance of employee behaviour when it comes to securing their IT and information systems.

“Lots of organizations claim to have a culture of information security, but in most cases I would say that this is not true and unfounded,” she told an audience made up of military and civilian IT security specialists. “We need to get end users on side. We can’t ignore them anymore. We need to move away from command and control and interact with them.”

Part of the problem, Ashenden told attendees, is that IT security managers do not like the idea of empowering the end users and would prefer to be able to “lock them down” in the same way employees’ PCs can be locked down.

Instead, Ashenden said there should be a fundamental shift in the behaviour of senior IT security professionals towards end users and the importance of understanding social interaction within companies.

To read the full article, click here: http://news.zdnet.co.uk/security/0,1000000189,39378360,00.htm