Some rules are meant to be broken — including IT security policies, according to a new study by the Ponemon Institute.
In a report sponsored by IronKey, roughly half of the 967 end users surveyed said their corporate data security policies are largely ignored by both employees and management. The policy violations ranged from the misuse of USB sticks to personal use of e-mail to turning off the firewall.
In an age of data breaches and insider threats, 61 percent admitted to copying confidential data onto USB sticks and transferring the information to a noncorporate device. Most admitted their companies either did not allow this or had no policy in place to deal with it.
What’s more, 47 percent admitted to having shared their passwords with co-workers or third-party contractors in the past. The bad news doesn’t stop there. More than 20 percent of the respondents admitted to having turned off security such as anti-virus software, desktop firewalls and encryption on enterprise devices, up from 17 percent when this study was performed two years ago.
Not touched on in the survey directly is the issue of whether or not corporate policies are hindering productivity. There may be, for example, a legitimate reason for someone to copy data to a USB stick and transfer it to a computer outside the enterprise. But the study is not without insight as to why security policies seem to be falling short.
According to the report, 58 percent said they felt their companies did not provide adequate training on following the rules, while 46 percent said the policies were too complex to understand.
“As mobile devices become more and more prevalent in the workplace, our research shows that policies and enforcement are not keeping up with the increased risk of a data breach,” Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement. “Employees are under tremendous pressure to be highly mobile and productive, but they aren’t being properly educated on the risks to data integrity; they are taking data outside of the organizational structure without complete understanding or awareness of the serious implications of a breach or misuse of sensitive information.”