Security Failures Continue, Where are the Consequences?
The Seattle Times reports on a simple but highly effective social engineering attack in Careless workers expose IRS data. It makes me wonder what kind of consequences follow this kind of failure to follow directions. In an earlier post I commented that IT managers should take responsibility for allowing P2P software on their networks rather than blaming P2P vendors for leaks of confidential information. The same goes for workers who give out their passwords or change them at the direction of a stranger on the phone.
According to the Seattle Times article:
The Treasury Inspector General for Tax Administration said 61 of 102 employees agreed to help a caller pretending to be a technician fix a problem by disclosing their passwords and then changing them to one suggested by the caller.It's the third time since 2001 that IRS employees failed to protect passwords and follow security rules even after the agency provided extra training to workers to fix the problem.
In addition to training users about the need to protect their passwords we should start including discussions about the consequences of not following security procedures. And lets hold people responsible for doing the job they are supposed to do.
While the IRS and other government agencies are exposed to the public eye much more than corporations, I have no reason to think this problem is limited to federal employees. If we had similar data on private sector organizations, I'm sure we'd see similar results. I think the thing that would differentiate organizations that have this kind of security problem from those that don't is the consequences that follow such lapses.
What would happen to you if you changed your password at the direction of a "service desk technician?"
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
