For example, 51% of respondents -- company IT professionals -- say they have copied confidential data onto a USB memory stick. And 57% say others in their company do also. In some cases, this is allowed: 13% say it's officially permitted behavior, 23% say it's permitted if the data is encrypted. But 32% acknowledge it's forbidden, 22% say there's no data security policy at all, and 11% don't know one way or the other (numbers do not equal 100% because of rounding.).
When asked why copying is done if it's forbidden, 29% of the IT professionals say "If I didn't have the information, I would not complete my work on time." Another 21% say "no one really cares about compliance with this policy," and 40% say "the company does not enforce the policy." Those three reasons repeatedly surfaced, in roughly similar percentages, throughout the survey as the main reasons why these behaviors were widespread. Another recurring reason was "I am not aware of the policy."
As a result, the study notes that companies lack comprehensive mobile security policies, or systematic user training about them, or the means to enforce them, or some combination of these three. Only 10% of respondents say their company has a policy to deal with the loss of a portable storage device that contains sensitive company data, for example. Thirty-three percent say they're not aware of any company policy that restricts the copying of business information.
- Downloading personal software to company-owned computing devices: 45% say they do it, and 60% say there is no stated policy against it.
- Sending workplace documents to a home computer as an e-mail attachment: 33% say they do it, 48% are unsure whether it's forbidden to do so.
- Sharing passwords with coworkers: 46% say they do it, 67% say they believe doing so is a violation of policy.
- Turning off security settings or firewall on a workplace computer: 17% say they do it, and 80% say they are unsure whether it's a violation.