More Employees Ignoring Data Security Policies

June 10, 2009 at 4:38 pm

Does it surprise you to learn that, according to our recent study, Trends in Insider Compliance with Data Security Policies: Employees Evade and Ignore Security, employee compliance with corporate data security policies is on the wane?

Why do you think this is?  I’m seeing a confluence of conditions that appear to be contributing to this challenge to data integrity: the development of new, mobile technologies that empower employees to do more while away from the office; a failure of organizations to keep pace with the ways technology is changing the dynamics of data security; and current economic conditions that are putting increased pressure on individuals to be more productive with fewer resources.

According to our study, made possible through a sponsorship by secure USB flash drive developer IronKey, employees routinely engage in activities that put sensitive data at risk.  They are downloading data onto unsecured mobile devices (61%), sharing passwords (47%), losing data-bearing devices (43%), and turning off their mobile devices’ security tools (21%).  And, reflective of the blurring of the lines between personal and professional lives, they are using web-based personal email in the office (52%), downloading Internet software onto an employer’s devices (53%), and engaging in online social networking while in the workplace (31%).

With the exception of social networking, which we measured for the first time this year, each of these risky behaviors represents an increase compared to last year's results.

Interestingly, of those surveyed, 58% said their employer failed to provide adequate data security awareness and training, and 57% said their employer’s data protection policies were ineffective. According to 43%, there was poor communication and enforcement of data security policies.

The Ponemon Institute believes these results show overall lack of urgency by companies on the need to address data security.  Unfortunately, our studies have also shown that it often takes a data breach incident before an organization will finally get their wake-up call and take data security seriously.