6 Reasons Why Employees Violate Security Policies
Get into their heads to find out why they're flouting your corporate cybersecurity rules.
October 16, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltdae2d0f292e2de00/64f0d56de09efd3d4f595723/01-reasons.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Most of the time, employees break cybersecurity rules because they're trying to get their jobs done. CISOs and other security policymakers seeking better buy-in and compliance with their security policies would do well to remember that. So what exactly behind their behavior? To help improve strategies around adherence to security policies, we put together a list of six of the most common drivers for rule-breakers.
Approximately 91% of cyberattacks today start with a phish. While some of that comes down to very sneaky phishing lures from attackers, the rate at which employees fall for these tricks can also be laid at the feet of ignorance.
The same goes for them failing to adhere to corporate policies by not properly protecting their devices when they're on the road, downloading risky applications, or putting sensitive data on public cloud stores with no protection whatsoever.
Earlier this year, a study showed that almost half of all entry-level employees and nearly a third of all employees don't even know whether their companies have a cybersecurity policy. That shows how companies are failing to communicate the rules through effective awareness training and internal marketing.
Oftentimes, employees know what the policies are but still break them because of the inconvenience they cause. Maybe the process of providing a co-worker or contractor access to a system they need for a project is so onerous that the employee barrels ahead by sharing her password. Or perhaps there's no easy cloud-based method in place for sharing data, so she feel justified in putting sensitive files on an unprotected SaaS storage service or AWS data store.
One study from 2017 showed that 72% of employees were willing to share sensitive, confidential, or regulated company information in certain circumstances, such as when doing so helped them or their recipients do their jobs more effectively (cited by 35% of respondents).
Sure, these corporate lawbreakers have plenty of culpability. But one of the lessons here is that often employees disobey cyber policies because they cause friction in the flow of work. Security teams could avoid problems by making account or access provisioning and approvals more seamless, and by providing easy-to-use and safe collaboration and sharing tools to teams.
In the same vein as convenience, don't discount the power of frustration to drive users to flagrantly break the rules. For example, even a very technically savvy employee who is in tune with security policies might be willing to sidestep those about using a VPN away from the office if under deadline stress in a location with poor network connectivity. This is another area where workflow friction should be taken into consideration. For example, in the case of VPN performance, Google internally implemented a completely different data access and IT architecture program called BeyondCorp that sidestepped the need for VPNs.
But even well-enabled employees break policies, even after awareness training and proper tooling so they can do their job safely. They must be aware of repercussions for violating policies so they don't flout the rules again.
There's room for improvement here. "I'm seeing almost no companies doing this, so employees aren't being held accountable for skirting proper procedures that would normally protect their company from different cyberthreats," wrote Tom DeSot, CIO of Digital Defense, in a Dark Reading commentary on security awareness training.
From checking a co-worker's HR file to find out his salary to hunting around for juicy information about famous clients, employees given free rein to sensitive information often give in to their curiosity for snooping.
According to one study from late last year, approximately 92% of security professionals reported that employees attempted to access information that is not necessary for their day-to-day work. And 23% said it happened frequently. Enforcing the rules of least privilege through role-based access controls, along with a healthy dose of user behavior monitoring, can help keep curiosity from killing the cybersecurity policy.
According to the FBI's Internet Crime Complaint Center (IC3), business email compromise (BEC) scams have hit their victims with a cumulative $12.5 billion in losses over the past five years. In the past two years, BEC scams have increased by 136%.
These sophisticated attacks usually trick well-meaning employees to perform wire transfer payments to criminals. And they usually work because they take advantage of one of social engineers' most favorite human tendencies to exploit: the drive to be helpful. For example BEC attackers often go after people in the finance department, posing as aggrieved or distressed vendors that need their payment details changed in a hurry and payment put through ASAP. These attacks show the need not only for improved defense against spear-phishing and email impersonation, but also strengthened controls around financial payment systems and procedures.
According to the FBI's Internet Crime Complaint Center (IC3), business email compromise (BEC) scams have hit their victims with a cumulative $12.5 billion in losses over the past five years. In the past two years, BEC scams have increased by 136%.
These sophisticated attacks usually trick well-meaning employees to perform wire transfer payments to criminals. And they usually work because they take advantage of one of social engineers' most favorite human tendencies to exploit: the drive to be helpful. For example BEC attackers often go after people in the finance department, posing as aggrieved or distressed vendors that need their payment details changed in a hurry and payment put through ASAP. These attacks show the need not only for improved defense against spear-phishing and email impersonation, but also strengthened controls around financial payment systems and procedures.
Most of the time, employees break cybersecurity rules because they're trying to get their jobs done. CISOs and other security policymakers seeking better buy-in and compliance with their security policies would do well to remember that. So what exactly behind their behavior? To help improve strategies around adherence to security policies, we put together a list of six of the most common drivers for rule-breakers.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024