Security professionals: Our staff break IT rules

New research suggests most organisations have a problem with staff discipline in their IT networks, with security professionals believing that rules and restrictions laid down by IT departments are readily broken.

The findings come from a study conducted by security management firm Lieberman Software, who surveyed nearly 250 security administrators – just under half of whom worked in organisations with over 1,000 employees - at February’s RSA Conference in San Francisco.

Of those questioned, over 81 per cent said they suspected employees ignored the security regulations imposed by their organisation.

Meanwhile, as much as 38 per cent had witnessed a colleague access company information they were not permitted to, and 54 per cent of these respondents did not report the colleague despite their security responsibility within the organisation.

The results highlight a problem recently sounded out by researchers at Gartner, who argue the amount of constraints placed on staff within an IT network actually make them more likely to breach security - creating “noise” that obscures more dangerous threats from cyber criminals outside the organisation. A new security model stripping back controls and placing more trust in members of staff has been proposed, with some companies already in the process of applying the idea.

And more IT professionals may soon be drawn to a change in mentality towards security, given that 73 per cent of those surveyed by Lieberman said they would not bet $100 of their own money that their company wouldn't suffer a data breach in the next six months.

Commenting on his firm’s survey, CEO Philip Lieberman agreed that new ideas and solutions need to be considered. “IT groups must…look beyond conventional security products and invest in technology like privileged identity management (PIM),” he said.

“PIM products ensure that powerful privileged accounts found throughout the enterprise in large organisations are available only to authorised IT personnel with limited-time, audited access. This ensures that end-users are not able to accidentally or maliciously change configuration settings, access systems with sensitive data, or perform other actions that are not required of their jobs.”