Next week, Ponemon Institute and our study sponsor, Red Cannon, will present the independent results of a national survey designed to better understand employee compliance with data security policies in the workplace. The data speaks volumes about the current state of "security awareness" in the enterprise.
We surveyed 893 individuals who work in corporate IT to find out if they believe their organizations are proactively protecting equipment and information assets. We wanted to know if they were taking all of the necessary steps to protect those assets, such as forbidding illegal data transfer, restricting password sharing with coworkers, limiting access to Web-based email accounts, seizing legal attachments sent to personal email addresses, and preventing antivirus or firewall settings to be disabled by employees.
Based on previous research for other studies, we knew that most IT practitioners consider malicious or negligent insiders to be the greatest threat to an organizations information assets. Hence, it would seem logical that such organizations should focus on creating policies that are strictly enforced and training employees on the importance of complying with these policies.
What we learned in this survey, however, is that many individuals are still uncertain about their companies' policies or dont know whether they exist. Further, even if they are aware of these policies, many respondents feel their organizations are apathetic about enforcing them.
These attitudes are important, because many enterprises in our survey said they already have experienced compliance mishaps. For example, 39 percent say their organizations have lost or misplaced a cellular phone, memory stick, PDA, or laptop computer that contained confidential or sensitive information. Further, 56 percent believe that their organization will never be able to reconstruct the data lost or stolen.
And yet, despite these dangers, many enterprises still have made little progress in educating their users about the need for security policy or the importance of following it. Let's look at seven common security events, along with users' attitudes toward each one, as collected in the survey.
- Fifty-one percent of respondents say they copy confidential information onto USB memory sticks, even though 87 percent believe their company's policy forbids it.
- Forty-five percent say they access Web-based email accounts from their workplace computers. Seventy-four percent say there is no stated policy that forbids it.
- Thirty-nine percent say their organizations have lost or misplaced a portable data-bearing device. Seventy-two percent did not report the lost or missing device immediately.
- Forty-five percent of respondents say they download personal software onto a company-assigned computer. Sixty percent say there is no stated policy that forbids it.
- Thirty-three percent of those surveyed say they send workplace documents to their home computers as email attachments. Forty-eight percent are unsure whether this violates policy.
- Seventeen percent say they turn off security settings on their firewalls or on workplace computers. Eighty percent are unsure whether this violates security policy.
- Forty-six percent of respondents said they share confidential passwords with their coworkers. Sixty-seven percent believe that their company's policy forbids it.
While these scenarios are not intended to be an exhaustive list of data security threats, it is clear that a large number of respondents admit to behaviors that are very risky for their organizations and, hence, are very likely to violate security procedures or privacy policies.
In the first scenario, for example, more than half of respondents admit to copying unprotected confidential or sensitive information onto USB memory sticks (aka, flash drives), yet almost 90 percent admit that their companys policy forbids this action. This is a remarkable rate of non-compliance.
There are inherent limitations to survey research that need to be carefully considered before drawing inferences from our study findings. Even with these caveats, however, the results of our study indicate that there is an opportunity for organizations to address and mitigate serious threats to sensitive and confidential information.
Creating policies to address the vulnerabilities described here, strengthening existing policies, and training insiders to comply with these policies should all be high priorities. By taking these steps as part of an enterprise-wide data security program, you can reduce the threat of a data breach due to insider negligence or complacency about security issues.
If you have questions or comments about the research, or if you would like to obtain a full report, please contact us.