Why Employees Don't Follow Security Rules
According to a recent survey from security firm RSA, a majority of workers polled said they regularly feel the need to dodge corporate security policies in order to get their job done.
The survey points out that while many companies are concerned about malicious insider threats, the real danger lies in the huge amount of seemingly innocent rule-breaking that goes on daily by otherwise well-intentioned employees.
We asked Frank Kenney, a Gartner analyst focused on application development and integration, for some thoughts on the major reasons why people don't adhere to corporate security policies -- and what they need in order to get on board with the rules.
They Don't Know the Rules
The RSA survey found most respondents said they are 'familiar' with their organization's security policies. But policies aren't always black and white, according to Kenney. Many companies may be sending out mixed messages to employees.
"If I work for a company where I can't use gmail, but I have access to gmail, the company isn't giving me better way to send out large files, and they haven't blocked gmail, I'm going to use gmail," said Kenney.
Kenny's point is that if a corporation is going to insist that workers not use certain applications or visit certain Web sites, they need to do more than just put it down in the company manual. CSOs need to make sure workers are aware by making the points clear upon hire, and also by sending out refresher materials. Also, put the tools in place so breaches don't happen, stresses Kenney. If you don't want employees on gmail, take the time to block the site.
If They Do Know the Rules, No One Is Enforcing Them
Even if you have the rules in place, and you know everyone is aware of them, what will stop employees from breaking them if they know there is no repercussion for their actions?
"If you run red light, you know there is a chance the police will stop you," said Kenney. "But with many security rules, employees know they will never be reprimanded for going against company policy."
RSA said respondents to their survey admitted to accessing work e-mail accounts through a public computer. A majority also said they had accessed work e-mail accounts over a public wireless network. Both these tactics put sensitive corporate data at risk. But do your employees really know that? And why should they care if they never get caught? Kenney suggests educating staff about the implications of their actions. And take it a step further by backing up your policies with both incentives and punishments.
"Education can work when it is reinforced with the incentives to do the right things. And even punishment for the wrong things can be effective."
Ideas to get people motivated to follow the rules include offering everyone tickets to a group event -- or free lunch -- for a certain number for days without an infraction. Conversely, if someone on staff continues to ignore the rules, "it is time to sit that person down and say I'm going to have to reprimand you," said Kenney.
Rules Get in the Way of Productivity
People have been working around security since the dawn of IT in order to get their jobs done, said Kenney. Early examples include printing out sensitive documents that IT has blocked from download or distribution over email.
"You can lock laptops down and keep people from putting in flash drives to save things. But you know what they will do? They will print them out and do what they need to do to be productive."
Staff often view IT and security policy as a hindrance to productivity. And it many ways, it is, said Kenney. In his opinion, the riskiest behavior employees engage in lately is the aformentioned use of free Web-based services like Yahoo, Hotmail or gmail to send company documents.
A recent report from Aberdeen found demand for secure/managed file transfer products is growing in several industries because of the need to share large files safely.
"When employees use Web e-mail as a work around, companies don't know what kind of intelligence property is ending up in the cloud. They need the tools in order to transfer files safely."