‘Sometimes it is necessary to bend the rules a bit’

Survey hits at the center of reluctance to follow compliance management

boy slingshot threat
Thinkstock (Thinkstock)

A recent survey asked employees why they didn’t follow the rules and much of the response sounded a bit like a child answering their parent. They might have been bored or there were too many rules to deal with.

The rule breakers were called out in violating company policies. Other responses included:

  • "Sharing of information that clients need to know but we may or may not have been given permission but is needed information for clients to have for testing success"
  • "They are borderline infractions."
  • "Unhappy with job, company."
  • "Sometimes it is necessary to bend the rules a bit."
  • "So many policies I don't know them until I break them."
  • "I'm bored and I want to get on the internet and play games."
  • "We can not possibly know when a client is going to need certain information for testing success and often times it is spur of the moment so although the management team has not given permission, we have to make on the spot decisions with the hope we do not give too much information."

Softwareadvice surveyed 110 employees across a variety of industries to better understand the (in many cases) daily violations of company policy they commit. One in five employees admitted to daily or weekly policy infractions. Out of the top industries in the survey, employee compliance violations are most common in banking/finance, and least common in manufacturing.

Daniel Harris, market research analyst for Software Advice cited the following examples of the rule breakers:  

  1. Employees open phishing emails because they don't get the proper training on how to distinguish them from normal emails. Compliance management programs include LMS modules that can get employees up to speed on this point.
  2. Employees tend to store data where it's easiest to store data unless they get specific training or unless workflows are designed to ensure that they store data in the right places.
  3. Employees use company resources for personal use because they're bored.
  4. Phone dial-ins are easier than joining virtually in some instances. Telecom expense management policies are also arcane and complex to understand.
  5. People get sloppy with data
  6. People don't like paying for copyrighted work if they can avoid it, as witnessed by the success of file-sharing, torrenting, streaming, key-gens etc.
  7. Again, people get sloppy, and network policies are tough for non-IT personnel to understand.

He said compliance processes for preventive action, accident reporting can be tracked in a variety of tediously manual ways, particularly at smaller organizations. GRC platforms that offer workflow modules, templates and governance features can streamline such inefficient, paper-based processes.

"When we add in the 16 percent of the sample that have issues with the complexity of applicable regulations, we can see that overall, the diversity and complexity of compliance requirements creates the potential for violations for over half of our respondents,” Harris said.

Data privacy violations are also disturbingly high, he noted. “As we’ve seen in cases such as the Target hack, such violations can have devastating consequences. Risk-averse companies should explore software-guided training courses in these areas. Automated workflows can also help to streamline processes such as incident reporting, thereby increasing employee compliance."

The answer to the problem is compliance management software, which is said to reduce both conscious and unconscious violations via training modules, automated workflows and compliance surveys. Compliance management software helps normalize features to reduce the number of policies employees have to contend with by mapping emerging requirements to existing policies, aggregating similar policies. Policies can also be mapped to controls to enhance visibility into the implementation of policies.

"Compliance management software can reduce both conscious and unconscious violations via training modules, automated workflows and compliance surveys,” Harris said.

ASG Technologies’ products help businesses meet the challenge of increasing compliance demands and changing regulations. Ian Rowlands, vice president of Product Marketing at ASG Technologies, says ASG’s Data Intelligence product collects all the supporting information about data that makes it useful and understandable. It also allows compliance officers and their teams to locate data needed to deliver on-time answers audit and regulatory compliance questions.

Compliance management software doesn’t halt an action though. Take for instance if an employee was sending out something that they shouldn’t. Rowlands said that would be more in the realm of email filtering technologies. ASG’s software maps the data estate, traces data movement and understands data transformation.

Does compliance management stop an insider threat? Rowland said sadly it does not. Many forms of insider threat are really caused by the misapplication of proper business facilities, he said. That kind of activity is best intercepted by the use of threat analytics – for which a solid base of data intelligence is a key component. Another key issue is that most insider breaches are caused by “privileged users” – using data intelligence to document who is entitled to do what with data is another key element of protection.

ASG's content services product, Mobius, can enable a company to adhere to corporate policies, industry regulations and government mandates. Specific use cases include:

  • Redaction is able to obfuscate information. Therefore the company can create internal controls to enable compliance with PCI DSS 3.0, HIPAA, HITECH, Federal Privacy Act, and prevent employees, customers and criminals from obtaining Personally Identifiable Information.
  • Mobius View Records Management is able to automatically capture, classify, retain, dispose and destroy records regardless of location according to corporate policies, industry regulations and government mandates. When a legal event occurs, all required records can be put on hold to prevent manipulation or deletion. 
  • ViewDirect Audit and Balancing System can prevent abuse and enable compliance. For example, one Mobius customer uses the product for fraud detection, account reconciliation and financial audits.

Kennet Westby, president and co-founder at Coalfire, said compliance management software is invaluable to larger organizations and those with multiple compliance programs they are managing. Targeted solutions can be very effective for smaller organizations with limited resources to manage compliance.

“It is critical for an organization to select solution and implementation services that are focused on meeting the intent of the compliance requirements driven by risk management objectives. Buying solutions that drive a check-in-the-box approach that don’t conform to the scope of the environment, organizational structures and technology risks will fail,” he said.

Good compliance management solutions are more than issue or document management solution, he said, and should deliver valuable risk awareness and a risk reduction return on your compliance management spend.  

Westby said compliance is only achieved by implementing and operating required administrative, physical and technical controls continually to meet the intent of the compliance requirements. “When solid compliance management solution is implemented correctly it should be able to alert organizations to compliance gaps in implementation or operation and potential non-compliance. They can reduce many of the biggest risks to organizations going out of compliance. It also can greatly assist in demonstrating compliance to management, third party assessor or regulators,” he said.  

Engaging a qualified third party assessor with your solution design and implementation beyond your vendor can be the best money spent to achieve compliance and risk mitigation objectives.

"Without traceability and transparency, you cannot be compliant. To achieve compliance, regardless of the regulation, you must have a knowledge base telling you what data you've got, how it's being handled and who is touching it. As such, the continued strengthening of data intelligence and understanding of data is one of the most critical enabling components of compliance,” he said.

What to expect in compliance management 

Rowlands said  data governance will become a regulatory requirement, and core to compliance with many regulations. As an example, he cited the European GDPR (which does not explicitly require Data Governance, but which cannot be complied with in the absence of Data Governance), or Risk Data Aggregation regulations that explicitly require governance.

“Failure to maintain a full knowledge of the data inventory, its relationship to business policies and processes, and the ways in which data moves and is transformed will not be acceptable,” he said.

Policy management and machine learning will also be increasingly important elements of Compliance and Governance capabilities. He believes we are at the very dawn of the automation of data-related compliance. “Active” Data Governance will emerge so that problematic data actions are automatically detected and flagged for resolution.

Westby said the goal for most organizations is achieving continuous compliance management where a platform can coordinate scheduled administrative actions and monitor real-time technical control compliance to demonstrate current and ongoing compliance.

“Coordinating and integrating compliance and cyber risk management tools has the biggest payoff. When an organization can assign and tailor their compliance program based on informed risk mitigation strategies they are able to achieve the real intent of most compliance regimes. Conversely when compliance management solutions can bring real control operational effectiveness information back to your risk management program the accuracy of your risk assessment is significantly increased,” he said.

New! Download the State of Cybercrime 2017 report