UK Govt – No preventative security measures for internal users. Are they mad??

Reading the Government Service Design Manual and especially the section on Security as an Enabler, I found an interesting paragraph in there, when talking about internal users, it states:

“It is the intention of the Civil Service Reform Plan and the new Security Classification Policy that there is greater emphasis on user responsibility, reducing expensive and overbearing technical controls. This requires proper training to assist users in handling sensitive information, and auditing to verify users are acting responsibly.

Users should be trusted to carry out their roles and given the responsibility to do so securely.

Audit and verification of user behaviour should be used to ensure policy compliance instead of preventative measures which add cost and degrade productivity. Such audit and verification should be implemented by services or network infrastructure, away from the end user device.”

I find this a shocking statement. You only have to look at the press or read the annual Verizon Data Breach report to show that the threat from insiders is growing (14% in 2013) with 13% of breaches occurring from privilege misuse or abuse.

It’s very brave (or stupid) to rely on detective controls and therefore close the stable door, only once the horse has bolted. Surely the cost and ‘degraded productivity’ should be measured against the increased risk and reduced compliance.

I would argue that to use security as an enabler, you must ensure that you do have the appropriate mix of preventative AND detective controls in place before you can enable those services that are going to provide the real benefits and savings.