Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:43 AM

What's Behind Non-Compliance?

New study shows that many employees still don't know about critical policies - or believe those policies will be enforced

Next week, Ponemon Institute and our study sponsor, Red Cannon, will present the independent results of a national survey designed to better understand employee compliance with data security policies in the workplace. The data speaks volumes about the current state of "security awareness" in the enterprise.

We surveyed 893 individuals who work in corporate IT to find out if they believe their organizations are proactively protecting equipment and information assets. We wanted to know if they were taking all of the necessary steps to protect those assets, such as forbidding illegal data transfer, restricting password sharing with coworkers, limiting access to Web-based email accounts, seizing legal attachments sent to personal email addresses, and preventing antivirus or firewall settings to be disabled by employees.

Based on previous research for other studies, we knew that most IT practitioners consider malicious or negligent insiders to be the greatest threat to an organization’s information assets. Hence, it would seem logical that such organizations should focus on creating policies that are strictly enforced – and training employees on the importance of complying with these policies.

What we learned in this survey, however, is that many individuals are still uncertain about their companies' policies – or don’t know whether they exist. Further, even if they are aware of these policies, many respondents feel their organizations are apathetic about enforcing them.

These attitudes are important, because many enterprises in our survey said they already have experienced compliance mishaps. For example, 39 percent say their organizations have lost or misplaced a cellular phone, memory stick, PDA, or laptop computer that contained confidential or sensitive information. Further, 56 percent believe that their organization will never be able to reconstruct the data lost or stolen.

And yet, despite these dangers, many enterprises still have made little progress in educating their users about the need for security policy or the importance of following it. Let's look at seven common security events, along with users' attitudes toward each one, as collected in the survey.

  • Fifty-one percent of respondents say they copy confidential information onto USB memory sticks, even though 87 percent believe their company's policy forbids it.

  • Forty-five percent say they access Web-based email accounts from their workplace computers. Seventy-four percent say there is no stated policy that forbids it.

  • Thirty-nine percent say their organizations have lost or misplaced a portable data-bearing device. Seventy-two percent did not report the lost or missing device immediately.

  • Forty-five percent of respondents say they download personal software onto a company-assigned computer. Sixty percent say there is no stated policy that forbids it.

  • Thirty-three percent of those surveyed say they send workplace documents to their home computers as email attachments. Forty-eight percent are unsure whether this violates policy.

  • Seventeen percent say they turn off security settings on their firewalls or on workplace computers. Eighty percent are unsure whether this violates security policy.

  • Forty-six percent of respondents said they share confidential passwords with their coworkers. Sixty-seven percent believe that their company's policy forbids it.

While these scenarios are not intended to be an exhaustive list of data security threats, it is clear that a large number of respondents admit to behaviors that are very risky for their organizations and, hence, are very likely to violate security procedures or privacy policies.

In the first scenario, for example, more than half of respondents admit to copying unprotected confidential or sensitive information onto USB memory sticks (aka, flash drives), yet almost 90 percent admit that their company’s policy forbids this action. This is a remarkable rate of non-compliance.

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from our study findings. Even with these caveats, however, the results of our study indicate that there is an opportunity for organizations to address and mitigate serious threats to sensitive and confidential information.

Creating policies to address the vulnerabilities described here, strengthening existing policies, and training insiders to comply with these policies should all be high priorities. By taking these steps as part of an enterprise-wide data security program, you can reduce the threat of a data breach due to insider negligence or complacency about security issues.

If you have questions or comments about the research, or if you would like to obtain a full report, please contact us.

— Larry Ponemon is founder and CEO of Ponemon Institute LLC . Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-17
Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000 MELSEC-Q Series C Controller Module(Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number 21121 or before), MELSEC iQ-R Series C Controller Module / C Intelligent Function Module(R12CCPU-V Ethe...
PUBLISHED: 2020-02-17
Unquoted service executable path in DXL Broker in McAfee Data eXchange Layer (DXL) Framework 6.0.0 and earlier allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.