IT Jobs
Why employees ignore security
They have never heard of the 'policy', that's why.
By Joan Goodchild, CSO (US)
Published: 11:46 GMT, 04 November 08
According to a recent survey from security firm RSA, a majority of workers polled said they regularly feel the need to dodge corporate security policies in order to get their job done.
The survey points out that while many companies are concerned about malicious insider threats, the real danger lies in the huge amount of seemingly innocent rule-breaking that goes on daily by otherwise well-intentioned employees.
We asked Frank Kenney, a Gartner analyst focused on application development and integration, for some thoughts on the major reasons why people don't adhere to corporate security policies - and what they need in order to get on board with the rules.
They don't know the rules
The RSA survey found most respondents said they are 'familiar' with their organization's security policies. But policies aren't always black and white, according to Kenney. Many companies may be sending out mixed messages to employees.
"If I work for a company where I can't use gmail, but I have access to gmail, the company isn't giving me better way to send out large files, and they haven't blocked gmail, I'm going to use gmail," said Kenney.
Kenny's point is that if a corporation is going to insist that workers not use certain applications or visit certain websites, they need to do more than just put it down in the company manual. CSOs need to make sure workers are aware by making the points clear upon hire, and also by sending out refresher materials. Also, put the tools in place so breaches don't happen, stresses Kenney. If you don't want employees on gmail, take the time to block the site.
If they do know the rules, no one is enforcing them
Even if you have the rules in place, and you know everyone is aware of them, what will stop employees from breaking them if they know there is no repercussion for their actions?
"If you run red light, you know there is a chance the police will stop you," said Kenney. "But with many security rules, employees know they will never be reprimanded for going against company policy."
RSA said respondents to their survey admitted to accessing work email accounts through a public computer. A majority also said they had accessed work email accounts over a public wireless network. Both these tactics put sensitive corporate data at risk. But do your employees really know that? And why should they care if they never get caught? Kenney suggests educating staff about the implications of their actions. And take it a step further by backing up your policies with both incentives and punishments.
"Education can work when it is reinforced with the incentives to do the right things. And even punishment for the wrong things can be effective."
Ideas to get people motivated to follow the rules include offering everyone tickets to a group event - or free lunch - for a certain number for days without an infraction. Conversely, if someone on staff continues to ignore the rules, "it is time to sit that person down and say I'm going to have to reprimand you," said Kenney.
Rules get in the way of productivity
People have been working around security since the dawn of IT in order to get their jobs done, said Kenney. Early examples include printing out sensitive documents that IT has blocked from download or distribution over email.
"You can lock laptops down and keep people from putting in flash drives to save things. But you know what they will do? They will print them out and do what they need to do to be productive."
Staff often view IT and security policy as a hindrance to productivity. And it many ways, it is, said Kenney. In his opinion, the riskiest behaviour employees engage in lately is the aformentioned use of free Web-based services like Yahoo, Hotmail or gmail to send company documents.
A recent report from Aberdeen found demand for secure/managed file transfer products is growing in several industries because of the need to share large files safely.
"When employees use web email as a work around, companies don't know what kind of intelligence property is ending up in the cloud. They need the tools in order to transfer files safely."
.gif)
Add your commentComments
Miles Technologies | Published: 15:24 GMT, 09 January 2009
Very helpful information! The only way for businesses to avoid a security breach is to "put the tools in place so breaches don't happen". Protecting network security is essential, and businesses who are unclear on how to do so should seek immediate expert information security services. - Miles Technologies, www.milestechnologies.com
Earle | Published: 18:23 GMT, 10 December 2008
Around my company it is mostly antiquated policies that do not address current needs and/or take advantage of current technology. I suspect that the true problem is inertia. Unfortunately, those who make the policies are not technically competent and those who are technically competent are not policy makers. I think this is beginning to shift, but it may take a while. In the meantime we who are technically competent must make an extra effort to train those around us how to do "it" better, and we must also educate, train, and promote ourselves into positions where we can have real influence on policy. Hah. And I can't even keep up with the tech end of the equation. Have we outsmarted ourselves?
Security? What Security? | Published: 09:22 GMT, 10 December 2008
Policy? What policy?
Brian Taylor | Published: 11:56 GMT, 19 November 2008
Security policies and password management can be enhanced using simple to use tools such as UK based www.picturepin.co.uk password manager tools. These tools keep passwords safe whilst enabling the company to provide difficult to crack and remember passwords to it's employees.
Marc | Published: 18:21 GMT, 16 November 2008
Steve, there's also the reverse problem with many businesses training their people (through reward) that dodging rules is ok so long as you don't get caught and, if caught, you can talk your way out of it. Most of the reasons I've come across for ignoring rules "to get the job done" were actually "I'm too damn lazy to find out how to do it right". Usually these are the same people who think they are "hot shots" in the company, too arrogant and/or imcompetent (thus, promotable) to ask if there is a way to do X. Instead, they come up with their rube goldberg solution that ends up breaching security (because nothing is idiot proof). At that point, it's always the "non user friendly" security types who get blamed. Much as you've done.
Steve Smith | Published: 22:24 GMT, 11 November 2008
Far too many people, both inside and outside the security field, assume an inverse relationship between security and convenience. If it's inconvenient, it's secure. It's actually rather easy to secure e-mail with individual certs and SSL IMAP. You'd never know it to talk to most security folks, wo seem to think that "security" means "how many times can we make the user type his/her password?"