3 Reasons Why Employees Don't Follow Security Rules
A recent survey finds employees continue to ignore security policies. (Surprise, surprise.) Here's a reminder about what often is missing in organizations that tempts workers to walk the wrong side of security law.
October 29, 2008 — CSO —
According to a recent survey from security firm RSA, a majority of workers polled said they regularly feel the need to dodge corporate security policies in order to get their job done.
The survey points out that while many companies are concerned about malicious insider threats, the real danger lies in the huge amount of seemingly innocent rule-breaking that goes on daily by otherwise well-intentioned employees.
We asked Frank Kenney, a Gartner analyst focused on application development and integration, for some thoughts on the major reasons why people don't adhere to corporate security policies -- and what they need in order to get on board with the rules.
They don't know the rules
The RSA survey found most respondents said they are 'familiar' with their organization's security policies. But policies aren't always black and white, according to Kenney. Many companies may be sending out mixed messages to employees.
"If I work for a company where I can't use gmail, but I have access to gmail, the company isn't giving me better way to send out large files, and they haven't blocked gmail, I'm going to use gmail," said Kenney.
Kenny's point is that if a corporation is going to insist that workers not use certain applications or visit certain Web sites, they need to do more than just put it down in the company manual. CSOs need to make sure workers are aware by making the points clear upon hire, and also by sending out refresher materials. Also, put the tools in place so breaches don't happen, stresses Kenney. If you don't want employees on gmail, take the time to block the site.
If they do know the rules, no one is enforcing themEven if you have the rules in place, and you know everyone is aware of them, what will stop employees from breaking them if they know there is no repercussion for their actions?
"If you run red light, you know there is a chance the police will stop you," said Kenney. "But with many security rules, employees know they will never be reprimanded for going against company policy."
RSA said respondents to their survey admitted to accessing work e-mail accounts through a public computer. A majority also said they had accessed work e-mail accounts over a public wireless network. Both these tactics put sensitive corporate data at risk. But do your employees really know that? And why should they care if they never get caught? Kenney suggests educating staff about the implications of their actions. And take it a step further by backing up your policies with both incentives and punishments.