Cant Be Bothered: Non-Security Policy Used By 90% Of Workers

Most workers put convenience ahead of security policies, with 90% of them admitting to ignoring them when they feel they need to.

Almost two-thirds of employees report regularly using personal technologies for work, primarily for the sake of convenience. For example, most workers confess to sending a file from their company computer to a personal email account so they can work while not in the office.

"Employees will often work around controls, especially ones they feel are onerous, as a way to make their job easier," said Brian Lee, Data Privacy practice leader, CEB.

"This 'Rationalised Noncompliance' can not only increase privacy risks, but even jeopardize corporate strategy and ultimately growth. Establishing a more balanced approach to information governance, one that complements technological controls with prudent and relevant privacy policies that employees can easily follow, will allow companies to effectively use the information they collect and protect against a damaging data breach."

Due to the advent of cloud-based productivity tools and the increase in collaboration between employees, more data is changing hands and leaving company-controlled networks than ever before, meaning that employees are putting more sensitive data at risk than ever before.

The costs to this are significant: CEB found that the average Fortune 1000 company already spends more than $400,000 notifying customers and employees of privacy failures each year, and that's only for the failures that are reported. In fact, 45% of internal privacy failures are caused by intentional but non-malicious employee actions.

"While spending on information security has dramatically increased over the last decade, companies are overlooking a bigger cause of breaches, employee behavior," said Lee. "Investing in technology to improve security is essential, however organizations also need to ensure that employees are doing their part to protect sensitive information."

Most employees do not want to willingly violate security policies, but the reality is that they’re sometimes forced into doing so.

"I do not find it surprising that employees violate data breach policies, because I have indeed been in the same situation,” said Mike Ahmadi, global director, Critical Systems Security, Synopsys Software Integrity Group. “In one case the IT department simply did not have any failure mode in place to compensate for instances where the policies caused a halt in workflow, due to any of a number of reasons. I was still expected to get the job done, and the lower-level IT support staff would often suggest the workaround.”

He added, “The business world penalises lost productivity and does not reward employees who use the excuse, ‘I was following the data loss policy guidelines.’ Unless usability remains stable and workflow is not hindered, employees at all levels will violate these policies."

A similar 2015 survey conducted by Balabit showed a full 69% of employees as being willing to bypass security for expediency.

“Today's 90% number, although conducted among a different target group, marks significant increase in just a year,” said Zoltán Györko, CEO at Balabit.

“So in other words, while hackers are getting more malicious and creative in their approaches, organisations may be becoming more complacent. Both trends are moving in the wrong direction."

Infosecurity:

 

« Cyber Attack Takes Liberia’s Entire Internet Down
Internet of Things: 2017 Predictions »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

D-RisQ

D-RisQ

D-RisQ is focussed on delivering techniques to reduce the development costs of complex systems and software whilst maximising compliance

King & Spalding

King & Spalding

King & Spalding is an international law firm with offices in the United States, Europe and the Middle East. Practice areas include Data, Privacy & Security.

European Council on Foreign Relations (ECFR)

European Council on Foreign Relations (ECFR)

ECFR is a pan-European think-tank conducting research and promote informed debate on European foreign policy. Cyber security is becoming an intrinsic element of foreign policy debate.

NetExtend

NetExtend

NetExtend services include backup and recovery, endpoint protection, network monitoring, cloud portal and billing and payment solutions.

ISARA Corp

ISARA Corp

ISARA Corporation is a security solutions company specializing in creating class-defining quantum-safe cryptography for today's computing ecosystems.

Perimeter 81

Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and distributed workforce.

CorkBIC International Security Accelerator

CorkBIC International Security Accelerator

CorkBIC International Security Accelerator invests in early stage disruptive companies in the security industry including, Cybersecurity, Internet of Things (IOT), Blockchain and AI.

ACA Group

ACA Group

ACA Group are a leading governance, risk, and compliance (GRC) advisor in financial services.

Macquarie Telecom Group

Macquarie Telecom Group

Macquarie Telecom is Australia's datacentre, cloud, cyber security and telecom company for mid-large business and government customers.

Soffid

Soffid

Soffid provides full Single-Sign-On experience and full Identity and Access Management features by policy-based centralised orchestration of user identities.

Brace168

Brace168

Specialising in Cyber Security incident identification and response, Brace168 is uniquely positioned to provide a vast experience in managed security services to meet the needs of all business types.

ClearHub

ClearHub

The aim of ClearHub is simple: to give businesses like yours access to the best talent, all screened and technically tested by Clearvision’s expert team.

SandboxAQ

SandboxAQ

SandboxAQ is an enterprise SaaS company combining AI + Quantum tech to solve hard problems impacting society.

Immunefi

Immunefi

Immunefi provides bug bounty hosting, consultation, and program management services to blockchain and smart contract projects.

LevelBlue

LevelBlue

LevelBlue simplify cybersecurity through award-winning managed security services, experienced strategic consulting, threat intelligence and renowned research.

UberEther

UberEther

UberEther are a dedicated group of software developers and consultants developing and deploying the next generation of identity management and cloud solutions.