A new study released by the Ponemon Institute reveals that there is a general lack of awareness and enforcement of computer security policies at many companies. The rate of non-compliant employee behavior appears to be getting worse over time. According to the study, “Trends in Insider Compliance with Data Security Policies,” which was sponsored by secure flash drive manufacturer IronKey, many employees admitted to behaviors that could put their companies at risk of cyber attacks or theft of proprietary information.
Some of the key findings of the study include:
- A majority of employees admitted to such behaviors as improper use of a USB memory stick, using Web-based email accounts, sharing passwords, and turning off computer security settings
- Nearly 69 percent of those surveyed said they had copied confidential company information onto a USB device. Only 13 percent of respondents said that their companies had a policy that allows for such actions.
- Another 61 percent of respondents admitted to copying information onto a USB stick and then transferring the data onto another computer.
- More than half of the respondents said that their companies provide inadequate training as it relates to computer and network security.
- About half of the employees surveyed said that their companies’ security policies are simply ignored, and that the policies are too complex to understand.
- Over half of the respondents said that they download personal Internet software to their company computers, which significantly increases the risk of introducing viruses, worms and other malware into an organization’s network.
Compared with a similar study conducted by Ponemon Institute in 2007, the rate of non-compliant employee behavior appears to be getting worse over time.
When organizations are investing huge money in securing their IT infrastructure, a critical aspect they often tend to ignore is the human element in IT Security. Creating a strong perimeter security, beefing IT infrastructure and implementing Security suites do not help if the human element to IT Security is ignored. Creating easy to understand security policies and telling employees what is right and what is not is a very critical step in building a secure IT infrastructure. More importantly this should be backed by management commitment to enforce discipline. More often than not, IT Security violations are often let off with a warning or caution note and this does not help to promote the organizational climate with regard to IT Security.
The best way to building an IT Security aware organization is sensitizing employees and then displaying management commitment to IT Security by taking action against errant employees. Hopefully this will turn employee behavior for the better.