Cant Be Bothered: Non-Security Policy Used By 90% Of Workers

Most workers put convenience ahead of security policies, with 90% of them admitting to ignoring them when they feel they need to.

Almost two-thirds of employees report regularly using personal technologies for work, primarily for the sake of convenience. For example, most workers confess to sending a file from their company computer to a personal email account so they can work while not in the office.

"Employees will often work around controls, especially ones they feel are onerous, as a way to make their job easier," said Brian Lee, Data Privacy practice leader, CEB.

"This 'Rationalised Noncompliance' can not only increase privacy risks, but even jeopardize corporate strategy and ultimately growth. Establishing a more balanced approach to information governance, one that complements technological controls with prudent and relevant privacy policies that employees can easily follow, will allow companies to effectively use the information they collect and protect against a damaging data breach."

Due to the advent of cloud-based productivity tools and the increase in collaboration between employees, more data is changing hands and leaving company-controlled networks than ever before, meaning that employees are putting more sensitive data at risk than ever before.

The costs to this are significant: CEB found that the average Fortune 1000 company already spends more than $400,000 notifying customers and employees of privacy failures each year, and that's only for the failures that are reported. In fact, 45% of internal privacy failures are caused by intentional but non-malicious employee actions.

"While spending on information security has dramatically increased over the last decade, companies are overlooking a bigger cause of breaches, employee behavior," said Lee. "Investing in technology to improve security is essential, however organizations also need to ensure that employees are doing their part to protect sensitive information."

Most employees do not want to willingly violate security policies, but the reality is that they’re sometimes forced into doing so.

"I do not find it surprising that employees violate data breach policies, because I have indeed been in the same situation,” said Mike Ahmadi, global director, Critical Systems Security, Synopsys Software Integrity Group. “In one case the IT department simply did not have any failure mode in place to compensate for instances where the policies caused a halt in workflow, due to any of a number of reasons. I was still expected to get the job done, and the lower-level IT support staff would often suggest the workaround.”

He added, “The business world penalises lost productivity and does not reward employees who use the excuse, ‘I was following the data loss policy guidelines.’ Unless usability remains stable and workflow is not hindered, employees at all levels will violate these policies."

A similar 2015 survey conducted by Balabit showed a full 69% of employees as being willing to bypass security for expediency.

“Today's 90% number, although conducted among a different target group, marks significant increase in just a year,” said Zoltán Györko, CEO at Balabit.

“So in other words, while hackers are getting more malicious and creative in their approaches, organisations may be becoming more complacent. Both trends are moving in the wrong direction."

Infosecurity:

 

« Cyber Attack Takes Liberia’s Entire Internet Down
Internet of Things: 2017 Predictions »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

eSentire

eSentire

eSentire is the authority in Managed Detection and Response Services, protecting the critical data and applications of organizations from known and unknown cyber threats.

Akin Gump Strauss Hauer & Feld

Akin Gump Strauss Hauer & Feld

Akin is a leading global law firm providing innovative legal services and business solutions to individuals and institutions. Practice areas include Cybersecurity, Privacy and Data Protection.

Dionach

Dionach

Dionach are a certified information security specialists who provide Penetration Testing, IT Security Auditing and Information Security Consultancy.

ClearDATA

ClearDATA

The ClearDATA Managed Cloud protects sensitive healthcare data using purpose-built DevOps automation, compliance and security safeguards, and healthcare expertise.

Exabeam

Exabeam

Exabeam is a global cybersecurity leader that delivers AI-driven security operations.

Logz.io

Logz.io

Logz.io is an AI-powered log analysis platform that offers the open source ELK Stack as a enterprise-grade cloud service with machine learning technology.

NT Cyfence

NT Cyfence

CAT Cyfence is the IT Security services business unit of CAT Telecoms.

ArcusTeam

ArcusTeam

ArcusTeam is at the forefront of the firmware and applications security industry, with a mission to increase the level of security on all IoT devices and applications.

Iowa Cyber Hub

Iowa Cyber Hub

Iowa Cyber Hub is a cybersecurity education partnership between Iowa State University and Des Moines Area Community College.

Componolit

Componolit

Componolit GmbH is a highly specialized company with a strong emphasis on trustworthy software, component-based systems and formal verification.

Resolvo Systems

Resolvo Systems

Resolvo is provides comprehensive security assessment and testing services in Asia.

Persistent Systems

Persistent Systems

Persistent Systems are a trusted Digital Engineering and Enterprise Modernization partner, combining deep technical expertise and industry experience to help our clients.

StarLink

StarLink

StarLink is an acclaimed Value-Added Distributor across the Middle East, Turkey and Africa regions with on-the-ground presence in 20 countries including UK and USA.

Radix Technologies

Radix Technologies

Radix offer end-to-end device management solutions, consolidating all the organization devices, processes and stakeholders into one easy-to-use management platform.

Recast Software

Recast Software

Recast Software exists to simplify the work of IT teams and enable them to create highly secure and compliant environments.

B&L PC Solutions

B&L PC Solutions

B&L PC Solutions deliver top cyber security services on Long Island and New York city to protect businesses from evolving online threats.