"People do as they will, regardless of awareness of best security practices."
This simple truth is at the heart of an insider threat study published by RSA earlier this week. The survey of executives -- principally IT people and members of the financial services industry -- offers insights on how end users behave and why insider breaches continue to mount despite broad implementation of security awareness programs.
More than 90 percent of those surveyed said that they are familiar with their companies policies. However, some 53 percent said they feel they "need to work around [their] company's security policies and procedures just to get [their] job done."
"When you try to force-fit a security solution into business processes or situations where it doesn't fit, then employees will often work around that, says Sean Kline, director of product management for the Identity and Access Assurance Group at RSA. "Ultimately, a security program is going to be a tradeoff between security, total cost of ownership, and ease of use."
So far, however, many companies are having trouble striking that balance, according to the survey. Sixty-four percent of the respondents said they sometimes send business documents to their personal email addresses so that they can access them from home, a practice that generally breaks corporate security policies. More than half also say they use public computers to access business email.
A majority of respondents also said they sometimes engage in other risky behavior, such as accessing corporate networks from public WiFi hotspots or carrying business data home on portable storage media. Almost half of U.S. respondents said they have been allowed through a secure door in a company building by someone they didn't know.
Tim Wilson, Site Editor, Dark Reading