According to a recent survey from security firm RSA, a majority of workers polled said they regularly feel the need to dodge corporate security policies in order to get their job done.
The survey points out that while many organisations are concerned about malicious insider threats, the real danger lies in the huge amount of seemingly innocent rule-breaking that goes on daily by otherwise well-intentioned employees.
Gartner analyst Frank Kenney gave some thoughts on the major reasons why people don't adhere to corporate security policies -- and what is needed to encourage them to do so.
Even though employees know about them, security policies aren't always black and white, Kenney says. The RSA survey found most respondents said they are 'familiar' with their organisation's security policies. But many companies may be sending out mixed messages to employees, he says.
"If I work for a company where I can't use gmail, but I have access to gmail, the company isn't giving me better way to send out large files, and they haven't blocked gmail, I'm going to use gmail," he says.
Kenny's point is that if an organisation is going to insist that workers not use certain applications or visit certain websites, they need to do more than just put it down in the company manual. IT security staff need to make sure workers are aware by making the points clear when an employee is hired, and also by sending out refresher materials. Also, put the tools in place so breaches don't happen, stresses Kenney. If you don't want employees on gmail, take the time to block the site.
Even if you have the rules in place, and you know everyone is aware of them, what will stop employees from breaking them if they know there is no repercussion for their actions?
"If you run red light, you know there is a chance the police will stop you," said Kenney. "But with many security rules, employees know they will never be reprimanded for going against company policy."
RSA said respondents to their survey admitted to accessing work email accounts through a public computer. A majority also said they had accessed work email accounts over a public wireless network. Both these tactics put sensitive corporate data at risk. But do your employees really know that? And why should they care if they never get caught? Kenney suggests educating staff about the implications of their actions.
People have been working around security since the dawn of IT in order to get their jobs done, says Kenney. Early examples include printing out sensitive documents that IT has blocked from download or distribution over email.
"You can lock laptops down and keep people from putting in flash drives to save things. But you know what they will do? They will print them out and do what they need to do to be productive."
Staff often view IT and security policy as a hindrance to productivity. And it many ways, it is, says Kenney. In his opinion, the riskiest behaviour employees engage in lately is the aformentioned use of free web-based services like Yahoo, Hotmail or gmail to send company documents.
A recent report from consulting firm the Aberdeen Group found demand for secure/managed file transfer products is growing in several industries because of the need to share large files safely.
"When employees use web email as a workaround, companies don't know what kind of intelligence property is ending up in the cloud. They need the tools in order to transfer files safely", the report states.