Cant Be Bothered: Non-Security Policy Used By 90% Of Workers

Most workers put convenience ahead of security policies, with 90% of them admitting to ignoring them when they feel they need to.

Almost two-thirds of employees report regularly using personal technologies for work, primarily for the sake of convenience. For example, most workers confess to sending a file from their company computer to a personal email account so they can work while not in the office.

"Employees will often work around controls, especially ones they feel are onerous, as a way to make their job easier," said Brian Lee, Data Privacy practice leader, CEB.

"This 'Rationalised Noncompliance' can not only increase privacy risks, but even jeopardize corporate strategy and ultimately growth. Establishing a more balanced approach to information governance, one that complements technological controls with prudent and relevant privacy policies that employees can easily follow, will allow companies to effectively use the information they collect and protect against a damaging data breach."

Due to the advent of cloud-based productivity tools and the increase in collaboration between employees, more data is changing hands and leaving company-controlled networks than ever before, meaning that employees are putting more sensitive data at risk than ever before.

The costs to this are significant: CEB found that the average Fortune 1000 company already spends more than $400,000 notifying customers and employees of privacy failures each year, and that's only for the failures that are reported. In fact, 45% of internal privacy failures are caused by intentional but non-malicious employee actions.

"While spending on information security has dramatically increased over the last decade, companies are overlooking a bigger cause of breaches, employee behavior," said Lee. "Investing in technology to improve security is essential, however organizations also need to ensure that employees are doing their part to protect sensitive information."

Most employees do not want to willingly violate security policies, but the reality is that they’re sometimes forced into doing so.

"I do not find it surprising that employees violate data breach policies, because I have indeed been in the same situation,” said Mike Ahmadi, global director, Critical Systems Security, Synopsys Software Integrity Group. “In one case the IT department simply did not have any failure mode in place to compensate for instances where the policies caused a halt in workflow, due to any of a number of reasons. I was still expected to get the job done, and the lower-level IT support staff would often suggest the workaround.”

He added, “The business world penalises lost productivity and does not reward employees who use the excuse, ‘I was following the data loss policy guidelines.’ Unless usability remains stable and workflow is not hindered, employees at all levels will violate these policies."

A similar 2015 survey conducted by Balabit showed a full 69% of employees as being willing to bypass security for expediency.

“Today's 90% number, although conducted among a different target group, marks significant increase in just a year,” said Zoltán Györko, CEO at Balabit.

“So in other words, while hackers are getting more malicious and creative in their approaches, organisations may be becoming more complacent. Both trends are moving in the wrong direction."

Infosecurity:

 

« Cyber Attack Takes Liberia’s Entire Internet Down
Internet of Things: 2017 Predictions »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

AV Test

AV Test

The AV-TEST Institute is a leading international and independent service provider in the fields of anti-virus research and IT security.

Tresorit

Tresorit

Tresorit helps teams to collaborate securely and easily by protecting their data with end-to-end encryption.

Intrusion

Intrusion

Intrusion provides IT professionals with the most robust tool set available for performing in-depth research and analysis of network traffic.

ZenMate

ZenMate

ZenMate is a Virtual Private Network services provider offering secure encrypted access to the internet.

CSIRT-CY

CSIRT-CY

CSIRT-CY is the National Computer Security Incident Response Team for Cyprus.

H-ON Consulting

H-ON Consulting

H-ON Consulting develops and applies robust cyber security procedures enabling control systems to be secure.

LogicalTrust

LogicalTrust

LogicalTrust security testing specialists find the weakest points in your company and show you how to fix them step-by-step, as well as how to improve your security.

Melius Cyber Security

Melius Cyber Security

Melius Cyber Security has developed a world-leading SaaS platform, Cyber Safe Plus, built around continuous assessment and improvement through vulnerability scanning and penetration testing

CACI International

CACI International

CACI is at the forefront of developing and delivering technological breakthroughs that transform and optimize government operations.

Tozny

Tozny

Tozny offers products with security and privacy in mind that are built on the foundation of end-to-end encryption, and open-source verifiable software.

AnzenSage

AnzenSage

AnzenSage is a cybersecurity advisory consultancy specializing in security risk resilience for the food sector: agriculture, food manufacturing, food supply chain, vineyards, and wineries.

Global Resilience Federation (GRF)

Global Resilience Federation (GRF)

GRF builds, develops and connects security information sharing communities for mutual defense.

Moonlock

Moonlock

Cybersecurity tech for humans. At Moonlock, we make software that seamlessly protects you and has your back as you live your life.

Netcraft

Netcraft

Netcraft is a global leader in cybercrime detection and disruption, combining cutting-edge technology with decades of experience to protect organizations of all sizes from digital threats and attacks.

Finlaw Associates

Finlaw Associates

Finlaw Associates is a trusted cybercrime law firm providing a wide range of taxation, legal, advisory and regulatory services to the financial, commercial and industrial communities.

Cyber Guards

Cyber Guards

Cyber Guards provide comprehensive, turn-key cyber security programs for small and mid-size business for about the cost of one full-time cybersecurity hire.