Cant Be Bothered: Non-Security Policy Used By 90% Of Workers

Most workers put convenience ahead of security policies, with 90% of them admitting to ignoring them when they feel they need to.

Almost two-thirds of employees report regularly using personal technologies for work, primarily for the sake of convenience. For example, most workers confess to sending a file from their company computer to a personal email account so they can work while not in the office.

"Employees will often work around controls, especially ones they feel are onerous, as a way to make their job easier," said Brian Lee, Data Privacy practice leader, CEB.

"This 'Rationalised Noncompliance' can not only increase privacy risks, but even jeopardize corporate strategy and ultimately growth. Establishing a more balanced approach to information governance, one that complements technological controls with prudent and relevant privacy policies that employees can easily follow, will allow companies to effectively use the information they collect and protect against a damaging data breach."

Due to the advent of cloud-based productivity tools and the increase in collaboration between employees, more data is changing hands and leaving company-controlled networks than ever before, meaning that employees are putting more sensitive data at risk than ever before.

The costs to this are significant: CEB found that the average Fortune 1000 company already spends more than $400,000 notifying customers and employees of privacy failures each year, and that's only for the failures that are reported. In fact, 45% of internal privacy failures are caused by intentional but non-malicious employee actions.

"While spending on information security has dramatically increased over the last decade, companies are overlooking a bigger cause of breaches, employee behavior," said Lee. "Investing in technology to improve security is essential, however organizations also need to ensure that employees are doing their part to protect sensitive information."

Most employees do not want to willingly violate security policies, but the reality is that they’re sometimes forced into doing so.

"I do not find it surprising that employees violate data breach policies, because I have indeed been in the same situation,” said Mike Ahmadi, global director, Critical Systems Security, Synopsys Software Integrity Group. “In one case the IT department simply did not have any failure mode in place to compensate for instances where the policies caused a halt in workflow, due to any of a number of reasons. I was still expected to get the job done, and the lower-level IT support staff would often suggest the workaround.”

He added, “The business world penalises lost productivity and does not reward employees who use the excuse, ‘I was following the data loss policy guidelines.’ Unless usability remains stable and workflow is not hindered, employees at all levels will violate these policies."

A similar 2015 survey conducted by Balabit showed a full 69% of employees as being willing to bypass security for expediency.

“Today's 90% number, although conducted among a different target group, marks significant increase in just a year,” said Zoltán Györko, CEO at Balabit.

“So in other words, while hackers are getting more malicious and creative in their approaches, organisations may be becoming more complacent. Both trends are moving in the wrong direction."

Infosecurity:

 

« Cyber Attack Takes Liberia’s Entire Internet Down
Internet of Things: 2017 Predictions »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

BeOne Development

BeOne Development

BeOne Development provide innovative training and learning solutions for information security and compliance.

National Association of State Chief Information Officers (NASCIO)

National Association of State Chief Information Officers (NASCIO)

NASCIO's Cybersecurity Committee focuses helps state CIOs to formulate high-level security and data protection policies and technical controls.

LIFARS

LIFARS

LIFARS is a global leader in Digital Forensics and Cyber Resiliency Services.

Centurion Information Security

Centurion Information Security

Centurion Information Security is a consulting firm based in Singapore that specialises in penetration testing and security assessment services.

Cybersecurity Tech Accord

Cybersecurity Tech Accord

The Cybersecurity Tech Accord promotes a safer online world by fostering collaboration among global technology companies.

Fortalice

Fortalice

Fortalice provide customizable consulting services built on proven methodology to strengthen your business cyber security defenses.

RISE

RISE

RISE is an independent, State-owned research institute, which offers unique expertise and over 100 testbeds and demonstration environments for future-proof technologies, products and services.

Elevate Security

Elevate Security

Elevate is the leading Security Behavior Platform, changing employee security habits while giving security teams unprecedented visibility.

US Army Cyber Command (ARCYBER)

US Army Cyber Command (ARCYBER)

US Army’s Cyber Command (ARCYBER) is engaged in the real-world cyberspace fight today, against near-peer adversaries, ISIS, and other global cyber threats.

Route1

Route1

Route1 is an advanced provider of secure data intelligence solutions to drive your business forward.

Trenton Systems

Trenton Systems

Trenton Systems are committed to providing high-performance computing solutions to customers running mission-critical applications in harsh settings worldwide and across various industries.

CyberSecureRIA

CyberSecureRIA

We founded CyberSecureRIA specifically to secure and support RIAs. We exist to secure SEC-registered RIAs, and keep them compliant with cybersecurity regulations.

Cysmo Cyber Risk

Cysmo Cyber Risk

Cysmo is an innovative cyber risk assessment platform specifically designed for the needs of the German insurance industry.

Blue Goat Cyber

Blue Goat Cyber

Blue Goat stands at the forefront of cybersecurity, particularly in medical device security and penetration testing.

Liquid C2

Liquid C2

Liquid C2 offers leading solutions to streamline workplace operations, secure cloud storage, rapid data recovery, and scale growth.

Exertis Cybersecurity

Exertis Cybersecurity

Exertis Cybersecurity is a sub-division of Exertis Enterprise. We provide market-leading cybersecurity solutions that help to address the cybersecurity challenges that organisations face today.