Assuming the Best and Worst of the Infosec PractitionersMost Follow the Rules, but a Few Flaunt Them
One would figure that the thousands of people roaming the cavernous floor filled with hundreds of vendor booths at last month's RSA2011 conference would mostly be IT security practitioners interested in buying IT security wares. And one also would assume that those individuals would be savvier than most on what constitutes proper IT security hygiene.
Let's put aside for a moment the axiom that a journalist should never assume.
Ipswitch is a maker of software used to securely transfer documents over the Internet. The company asked visitors to its RSA booth to fill out a survey. One-hundred thirty-four complied, and it revealed the results Tuesday.
A significant number - though far from a majority - of those 134 survey takers admitted that they don't practice what IT security purists preach: avoid sending sensitive, corporate data through their personal e-mail accounts. Why did they do it? Here's how they responded:
- 26% - My company does not monitor what I send via personal e-mail.
19% - The files are too large to send from my work e-mail.
15% - It's difficult to connect to work e-mail when outside of the office.
10% - Personal e-mail is significantly faster and more convenient.
Â Â 8% - I send business documents to myself for use at my next place of employment.
Ipswitch also asked if their companies maintain policies and tools to move and share information? Forty-eight percent replied yes, but they're not enforced; 10 percent said yes, but they ignore them; and 6 percent responded no, and they like it that way.
Assuming these numbers reflect reality - again, I'm throwing caution to the wind - the vast majority of these IT security practitioners do the right thing, but 16 out of 100 would flaunt the rules. Isn't that known as an insider threat?
Speaking of an insider threat, Ipswitch asked its visitors about the impact on their organizations of the WikiLeaks breach - a more egregious menace than disregarding e-mail security policies - in which an Army private is alleged to have disclosed a quarter-million-plus sensitive and confidential diplomatic cables. Here are the results:
- 43% - My company ignored the WikiLeaks threat.
39% - My company discussed the risks, but made no major changes to the way we share and protect information.
17% - My company implemented new policies and tools to protect against similar leaks.
11% - My company implemented new policies to protect against similar leaks.
These numbers reflect the fact that the scale of the WikiLeaks breach is too big for most organizations to fathom. That's my assumption, of course.