Survey: Most Enterprises Still Blame End-User Incompetence for Security Lapses

But experts say this line of thinking doesn’t help, and companies should hold themselves responsible for securing their networks.

Maria Korolov

October 23, 2019

5 Min Read
Data center network

Data center cybersecurity professionals face many threats on a daily basis—cybercriminals, nation-state attackers, hacktivists, even malicious insiders.

But a company’s own employees are the biggest threat of all, more important than all the others combined, according to a recent survey conducted by Data Center Knowledge and its sister sites in the Informa Tech family.

Download the full DCK Data Center Security survey report here

But it’s not out of malice. “Employees lacking security awareness” was named as the single greatest threat to security by 50 percent of respondents. The next biggest threat, cybercriminals, was far behind at just 18 percent.

DCK 2018 security survey

security survey report slide 1

When the survey asked what made the biggest difference in improving a data center’s vulnerability posture, the most popular answer was better end-user training and education, with 40 percent of respondents choosing it as one of the top three factors.

DCK 2018 security survey

security survey report slide 2

Respondents also wanted end users to take more responsibility for security, with 43 percent putting it at the top of their cybersecurity wish list. By comparison, just 40 percent wished they had less legacy technology to secure, only 30 percent wanted to have more automation, and just 23 percent wanted a bigger budget for security tools next year.

DCK 2018 security survey

security survey report slide 3

“Cybersecurity is a shared responsibility across the business ecosystem,” Leo Taddeo, CISO at Cyxtera Technologies, a large Florida-based data center operator, told DCK in an interview. “That includes IT staff, other employees, partner, vendors, customers – anyone and everyone who accesses the network and data.”

But it’s more productive to talk about solutions than to assign blame, he added.

“Enterprises need to promote a security culture and give people the resources, training, and tools needed to better protect themselves and the organization,” Taddeo said.

Meerah Rajavel, who at the time of the interview was CIO at Forcepoint, an Austin-based cybersecurity vendor, was in charge of security for both the company’s own internal data and that of its customers at dozens of different on-premises, colocation, and cloud data centers.

“At the end of the day, the buck stops with me,” Rajavel, now a board member at TruU, also a cybersecurity company, said. “I take responsibility for every aspect of it. I would never stand up, as a CIO, and say, ‘You guys are dumb, that’s why we’re having problems.’”

As a company, Forcepoint is built around the idea that humans are the biggest cybersecurity risk, she said. “But it’s a two-way street. You have to educate users and not expect people to go out and keep up on the latest in cybersecurity. Give them one concept at a time, make it interactive, use micro-learning.”

Download the full DCK Data Center Security survey report here

Even the best-educated and savviest users can fall victim to phishing attacks, Rajavel added. Cybercriminals “are getting extremely, extremely clever.”

So, at Forepoint there are systems in place to catch malicious links, behavioral analytics to spot suspicious activity, network segmentation, and privileged account management for users who have root or admin access to systems. For platforms to which a wide variety of users needs access, the company uses multi-factor authentication.

“If you don’t have the right architecture, you can’t blame people for what’s happening,” Rajavel said.

Richard Bird, chief customer information officer at Ping Identity, said he’s spoken to hundreds of companies over the past three years about identity control.

“Most companies rely on strong passwords because they still believe that the primary responsibility for security belongs to the user,” he said.

That belief has failed repeatedly in breach after breach, he said. “Companies using multi-factor authentication have taken a big step towards acknowledging that security is the responsibility of the organization – not the user."

In areas outside of cybersecurity, users are rarely blamed for not knowing something, said Kelly Shortridge, VP of product strategy at Capsule8, a New York-based cybersecurity company.

“What’s missing from security practitioners is user research and empathy,” she said. “This refrain of employees being the downfall of security programs has existed for nearly two decades, and scant improvement is to be found.”

It’s time to get rid of the term “user error” in security, Shortridge said. “Instead, understanding the root cause of why users violated security policies and incrementally improving processes and systems around this reality will be far more powerful than pointing the finger and denying the reality of how employees operate.”

Blaming users also erodes trust and makes it harder to carry out cybersecurity projects in the future, said Nate Lesser, former deputy director of the National Cybersecurity Center of Excellence at NIST and currently CEO at Cypient Black, a Maryland-based cybersecurity firm.

Say, for example, the cybersecurity team has decided that two-factor authentication is necessary for a new business-critical system.

“If you’ve developed an adversarial relationship with users, blaming them, belittling them, and ignoring their past concerns, you are likely to meet stiff resistance,” he said.

It’s also counterproductive for enterprises to point the finger at IT or security employees, said Terence Jackson, CISO at Thycotic Software, a Washington, D.C.-based cybersecurity vendor.

“In the Equifax breach, the former CEO attempted to pass the blame to a single employee that failed to deploy a patch,” he said. “Fair or foul? I call foul. Enterprises need to adopt a culture of security that involves everyone, not just a single group.”

There are big-picture issues involved here, Jackson said, like talent shortages.

“Ultimately, security is a board-level decision to make sure the enterprise has the people, processes, and technology to enable the business to be effective in its mission,” he said.

Download the full DCK Data Center Security survey report here

About the Author

Maria Korolov

Maria Korolov is an award-winning technology journalist who covers cybersecurity, AI, and extended reality. She also writes science fiction.

https://www.mariakorolov.com/

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like