Most companies are implementing security and compliance policies, but one out of three employees don’t understand them, according to a survey of 780 IT and business decision-makers across the U.S. and Canada.
At the same time, three-quarters of respondents said they believe employees at least occasionally violate their company’s compliance and security policies, and more than one in five said those who do so are aware of what they are doing, but violate it anyway to get their job done.
The survey, conducted by DataMotion, also found that 44 percent of respondents only moderately enforce security policies they have in place.
More than half of respondents said it is somewhat likely their company would be selected for a compliance audit within the next year.
Yet, nearly 60 percent admitted they are, at most, only somewhat confident their organization would pass this type of audit.
Almost 30 percent of respondents lack the ability to encrypt email, a negligible increase over last year’s finding of 28.3 percent. Nearly one-third of respondents lack confidence in their company’s current email encryption policy.
"In the case of security and compliance, most employees are unaware of the types of cyber risks they can fall victim to, and the resulting consequences should their action result in a breach," Bob Janacek, DataMotion’s chief technology officer and co-founder, told eWEEK. "So basic cyber risk training to raise awareness will result in improved results. From an email perspective, most employees have no idea that Internet email is not secure."
Janacek said a common employee misconception is that email is sent from their secure desktop, and appears in the recipient’s password-protected email account, so it’s a private one-to-one message.
"What they don’t realize is that a standard email message sent outside of their organization travels over the public Internet via a series of intermediary systems or hops," he explained. "During its journey, it has the security equivalent of a postcard and is open to inspection and copying at many locations along the way. To combat this lack of security, employees should activate encryption for any email they would not want everyone to read."
In other results, the survey revealed that 42.1 percent of respondents will spend at least $10,000 in the next year on email encryption.
When comparing small and large organizations, larger companies (1,000+ employees) were less confident they would escape a compliance audit, with two-thirds saying it was at least somewhat likely they would be selected. At companies with fewer than 100 employees, 35.9 percent of respondents believe an audit is likely.
Almost two-thirds of all respondents said their organization is conducting ongoing training to improve compliance and security policy adherence, and nearly 43 percent said their company is using technology to monitor and report security risks.
In addition, more than half of respondents said their organization is conducting more frequent communication regarding policies.
"Email encryption has significantly evolved from the days where key exchange between users was required. Today’s email encryption systems provide their security in ways that are intuitive for non-technical senders and recipients, support an organization’s archiving and eDiscovery policies, and provide superior mobile experiences," Janacek said. "Ease of use for desktop, and mobile users, and transparent integration into custom applications is paramount to the success of an email encryption solution."