Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Why Employees Break Security Policy (And What You Can Do About It)

Companies that monitor network behavior say many employees still break rules in order to get their jobs done

It happens every day: an employee who's out of the office wants to get into his machine at work. Instead of using a more secure method, he decides to email some files to his home machine, or upload a file to Facebook, or use a popular PC file-sharing tool. And the next thing you know, your organization is dealing with a major data leak.

Despite years of education and training, many enterprise end users still don't understand the risks of their network behavior, according to companies that monitor such activity. And despite years of warnings about data leakage, many organizations are still getting burned.

"What we see, in many cases, is that people haven't been told what they shouldn't be doing on the corporate network," says Adam Powers, CTO of Lancope, a company that makes tools for monitoring and analyzing network behavior. "They may have been told generally that some technologies are off limits, but they haven't been told explicitly what they can and can't do. In some cases, maybe they have been told, but they make the decision to do it anyway -- they're willing to take that first call from IT telling them to stop."

Most users aren't maliciously violating their company security policies, but simply seeking ways to get their jobs done expediently, says Rene Bonvanie, vice president of worldwide marketing at Palo Alto Networks, which makes next-generation firewalls that can track and control application and network usage in large enterprises. "When companies set unrealistic rules -- like limiting users to a very small email box capacity or restricting the ability to attach files to messages -- users will often find ways to get around them," he says. "Their motivation is not to break IT rules, but to get their jobs done."

Unlike industry analysts and vendors that survey enterprises about network behavior, both Lancope and Palo Alto Networks offer tools that can "see" what users are doing on the network. Lancope's products do detailed analysis of behavior in Cisco NetFlow environments; Palo Alto Networks' firewalls can identify and track the traffic generated by hundreds of different applications. Both vendors say that when they do their initial analysis of a new user's traffic, the IT and security staffs are always surprised by what they find.

"They'll say, 'We don't have any of that kind of traffic, we don't allow it," Bonvanie says. "Then we show them they have a lot of that very kind of traffic. In fact, we often see very little difference in the incidence of certain apps between companies that have strong policies against them and companies that don't."

And as consumer technology improves, the problem is getting worse, not better, Powers says. "A lot of people don't realize now that the technology they have at home is actually better than what they have at the office," he explains. "They feel they have unlimited bandwidth because, with today's services, they have very fast pipes at home. They feel they can use any app because they use them at home. YouTube, Skype, Facebook -- they're standard in most homes -- and people don't understand why they can't use them at the office."

Industry statistics support this assertion. In a study (PDF) conducted by Cisco in 2008, approximately 70 percent of IT security professionals said that unauthorized use of applications accounted for at least half of their organizations' data leaks. Eighty-three percent of end users in the study said they used their work machines for personal reasons at least some of the time; nearly half of the users said they transfer files between work and personal machines when working from home.

More recently, Palo Alto Networks issued its "Application Usage and Risk Report" (AUR), which analyzes the data collected by its firewalls at some 350 organizations. The report shows that applications such as instant messaging, social networking, streaming media, and even peer-to-peer file sharing are nearly pervasive in all organizations, regardless of industry or geography.

"One of the things that we consistently find is that enterprises have a lot more email apps on their networks than they think," Bonvanie says. "Aside from the one or two that are officially deployed, they sometimes find 20 or 30 other apps --not just Webmail, but a whole range of email apps that shouldn't be there. That has to be worrisome for these companies because sensitive data could be sent out through any one of those apps without the company knowing about it."

Powers says Lancope often finds users employing unauthorized methods to "remote in" to their work PCs from other locations, such as GoToMyPC.com or PC Anywhere. "In my mind, those are some of the most dangerous misuses because applications like that are essentially serving corporate data to the Internet," he says.

Not surprisingly, social networking sites, such as Twitter and Facebook, were cited by all of the experts. "The bandwidth consumed by social networking sites doubles about every six months," Bonvanie says. "And that's a concern, too, because the bad guys are constantly coming up with new ways to use those environments to hide or transmit malware or steal information."

Many users are also finding new ways to obscure their identities or obfuscate the data they are transmitting over the Web, experts say. Use of proxies, anonymizers, and tunneling is increasing, making it harder to detect leaks or pinpoint their sources, they say.

So what can enterprises do about users' routine misuse of their corporate PCs and network connections? Interestingly, the experts don't advocate taking a hard-line stance. "A lot of companies try to enforce it by implementing active controls on the PC, and users hate that," Powers says. "It makes sense to shut down traffic that has no business reason behind it -- like P2P file-sharing or file transfers between the finance department and some region of the world where you aren't doing business. But if you make the rules too restrictive, users will try to find a way around them."

Bonvanie agrees. "Today, the most common scenario is that the IT organization simply issues a flat-out 'no' -- no Facebook, no Skype, no Google Apps," he says. "And what we see is that it often doesn't work. Users are getting a lot smarter at getting around security policy to do what they feel they need to do. What makes more sense is to set a policy that users can live with, and then be tougher about enforcing it."

Companies should set policies that recognize workers' needs to access company data -- securely -- from home, and occasionally employ their work computers -- securely -- for personal activities, the experts say.

"Set a baseline for behavior that is acceptable for everyone, and then monitor for activity that's beyond the baseline," Powers advises. "If you can recognize unusual behavior on a certain node or PC, you can then drill in and see what else is happening there, and enforce your policy."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.