Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

3 reasons why employees don't follow security rules

A recent survey finds employees continue to ignore security policies. (Surprise, surprise.) Here's a reminder about what often is missing in organizations that tempts workers to walk the wrong side of security law.
Page:

According to a recent survey from security firm RSA, a majority of workers polled said they regularly feel the need to dodge corporate security policies in order to get their job done.

The survey points out that while many companies are concerned about malicious insider threats, the real danger lies in the huge amount of seemingly innocent rule-breaking that goes on daily by otherwise well-intentioned employees.

We asked Frank Kenney, a Gartner analyst focused on application development and integration, for some thoughts on the major reasons why people don't adhere to corporate security policies -- and what they need in order to get on board with the rules.

They don't know the rules

The RSA survey found most respondents said they are 'familiar' with their organization's security policies. But policies aren't always black and white, according to Kenney. Many companies may be sending out mixed messages to employees.

"If I work for a company where I can't use gmail, but I have access to gmail, the company isn't giving me better way to send out large files, and they haven't blocked gmail, I'm going to use gmail," said Kenney.

Kenny's point is that if a corporation is going to insist that workers not use certain applications or visit certain Web sites, they need to do more than just put it down in the company manual. CSOs need to make sure workers are aware by making the points clear upon hire, and also by sending out refresher materials. Also, put the tools in place so breaches don't happen, stresses Kenney. If you don't want employees on gmail, take the time to block the site.

If they do know the rules, no one is enforcing them

Even if you have the rules in place, and you know everyone is aware of them, what will stop employees from breaking them if they know there is no repercussion for their actions?

"If you run red light, you know there is a chance the police will stop you," said Kenney. "But with many security rules, employees know they will never be reprimanded for going against company policy."

RSA said respondents to their survey admitted to accessing work e-mail accounts through a public computer. A majority also said they had accessed work e-mail accounts over a public wireless network. Both these tactics put sensitive corporate data at risk. But do your employees really know that? And why should they care if they never get caught? Kenney suggests educating staff about the implications of their actions. And take it a step further by backing up your policies with both incentives and punishments.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Comments

1

andrew_Marc

Thu 23/04/2009 - 13:12

The majority of companies have security policies in place, but research reveals that employees often defy or ignore them, the study found.

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Setting a strategy for secure mobile printing
    Where, when and how we work is changing. Increasingly, we’re doing business on the road, at the office without a dedicated workstation and from our home offices. A 2010 InfoTrends survey of more than 1,400 mobile knowledge workers in Brazil, Germany, India, Japan and the U.S. echoes this trend. Respondents reported spending, on average, more than half of their time away from hard-wired network access. Implementing an effective strategy to make printing secure and simple for employees—regardless of where those employees happen to be—can help reduce security risks. Read more.
    Learn more »
  • Investment Protection and Elasticity for your Network
    Enterprise IT teams are being challenged to increase overall IT flexibility and business agility by incorporating emerging cloud technologies into their next generation datacentre architectures. Top of mind is how to embed a high degree of elasticity to properly handle increasingly unpredictable application traffic loads, while still meeting strict performance service level agreements (SLAs). Satisfying these often opposing goals requires that individual elements within the larger datacentre infrastructure provide a native capability to increase capacity and performance as conditions dictate. Read on.
    Learn more »
  • The Need for DLP (data leak prevention) now
    When it comes to the terabytes of confidential and proprietary data on corporate networks, companies often use kid gloves to secure the data. This begs the question, why are office supplies subject to a higher level of security than the data? Many organisations are turning to a DLP solution to help them in gaining control over their seemingly uncontrolled data stores.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.