Corporate Security Policies Found Ineffective
Altogether, the study, which was conducted by InsightExpress, a U.S.-based market research firm, surveyed more than 2,000 employees and IT professionals in 10 countries about the prevalence and effectiveness of corporate security policies in the workplace and the reasons employees either break or adhere to them. Specifically, the study examined corporate security policies, and found that risky security behavior and failure to comply with a company's security policy often resulted from lack of communication and awareness, and failure to align policy with employee job objectives.
"Technology does not equal security," said Christopher Burgess, Cisco senior security adviser. "If the individual understand the value of that which they are touching, they will protect it appropriately."
For channel partners, Cisco execs say that the survey served as a way to open up new dialogues with customers about security, while creating new opportunities to provide consultative and assessment services.
"It will help our partners understand the full breadth of service they can offer on the consultative side, said Susan Don, director of channel business development, "and think holistically around the full range of issues."
"There's so many ways data can leak out of an organization," she added. "It's important that (customers) are hearing it through someone they care about."
Here's what the study found:
Lack Of Policy and Changing Work Environment
For all that security has evolved in the workplace, roughly one out of four businesses (23 percent) said they didn't have a standard security policy in place.
Part of the reason for inadequate security policies could be attributed to a workplace environment that has significantly changed -- and whose evolution has outpaced many company IT policies. The study indicated that one of the reasons for communication gaps between security policy and employee behavior is due, in part, to the fact that the work environment has become increasingly more mobile and collaborative, executives say. And as the perimeter collapses, so too does the old security policy.
"As (employees) become more agile and distributed, data is being flung all over the place," said Burgess. Meanwhile, as workers are increasingly bringing laptops home and working from coffee shops, security policies often go out the window in order for the job to get done.
Lack Of Policy Awareness
The majority of companies have security policies in place, but research reveals that employees often defy or ignore them, the study found.
The reason? They likely don't even know their company has a security policy.
While IT administrators might be aware that their company has a security policy, that information doesn't always trickle to the employees. Across the board, research indicated that the number of IT administrators who knew a security policy existed was 20 to 30 percent higher than the employees who were required to follow it, with the largest gaps in the U.S., Brazil and Italy.
Communication Breakdown
Overwhelmingly, failure to comply with company regulation resulted from lack of communication. The study found that when IT communicates policies to employees, they often use non-verbal -- and subsequently unmemorable -- means, such as e-mail, IM and voicemail. As a result, 11 percent of employees said that IT never communicates or rarely educates them on security policies.
Policy Needs Updating
Three out of four IT professionals believed that their policies require more frequent updates, which was also echoed by almost half of employees. Both China and India were the most vocal about lack of regular updates.
That Policy's Unfair
The majority of employees in eight of the 10 countries surveyed indicated that they believed their company's security policy was unfair or impeded their ability to do their job. Employees with more access to collaborative Web 2.0 applications and social networking sites, video and mobile devices, expressed that they increasingly used these technologies in the workplace but were frustrated with rigid or outdated IT security policies that limited their use.
IT and Employees: Reasons For Non-Compliance
IT personnel maintained that employees defied policies for reasons that ranged from failing to grasp the severity of the security risk and thinking IT is there to protect them to simply not caring.
Employees on the other hand, said that the top reason for circumventing security policy was out of the belief the regulations didn't align with their job requirements, followed by the need to access applications not covered in the policy.
"If your constituency doesn't understand why a policy exists, you need to investigate why it exists," said Burgess.