Cisco Study Highlights Common Failures of Enterprise Security Policies

A study commissioned by Cisco highlights that many corporate employees are unaware of IT security policies, while others ignore them in the name of productivity. The gap in understanding comes down to communication and properly aligning security with the needs of the business.

As actor Paul Newman's character said in "Cool Hand Luke": "What we've got here is a failure to communicate."

The well-known quip is relevant to IT security in many enterprises. According to a survey by InsightExpress, one of the key issues surrounding IT is that many employees simply do not understand or know the security policies their company has in place.

The survey was sponsored by Cisco Systems and gathered responses from more than 2,000 employees and IT professionals in 10 countries. What was found was disturbing, if not startling-when asked if their companies had a security policy, there was a 20 to 30 percent gap between what IT professionals said and what other employees said. The largest gaps-31 percent-were in companies in the United States, Brazil and Italy.

Taken at face value, what this means is that many employees are oblivious to the security policies a company has in place. Most of the time security policies were passed along to employees via e-mail; an easy way of disseminating information perhaps, but not necessarily the most effective.

"When most employees get another announcement from IT about some policy or what have you, the typical response is to hit delete," said Marie Hattar, vice president of Network Systems and Security Solutions at Cisco. "That kind of nonverbal mode of communication, if you are depending on that, is not a very effective way of [informing employees]."

Though the survey did not cover whether employees who received messages about security policies face-to-face were more aware of the policies, holding office meetings gives employees a chance to ask questions and have a voice in the policy-making process.

Beyond the communication factor, there is also a gap between IT's perceptions of why policies are violated and employees' true motivations. When employees were asked why they broke security policies, the most popular responses in all 10 countries were either that the policies don't align with the realities of their job, they need access to applications not included in the policy, or both.

When IT pros were asked why employees violated policy, the most popular answers were variations on the theme of apathy and a lack of awareness.

Here, the problem is most likely related to a lack of understanding on the part of IT pros about how employees use technology to do their jobs. The end result is "greynets."

"I think generally there is sort of this tremendous growth in user-driven adoption of collaborative application, Web-enabled technology," said David Goddard, vice president of Security Assurance at Cisco. "There are many examples of that, from initial adoption of instant messaging tools to wikis ... if IT is communicating a policy that isn't agile enough to stay current, or at least be able to communicate the risk associated with those technologies if they're not IT supported or approved, the users will say, 'Look you're constraining my ability to drive towards productivity.'"

Addressing this issue means the authors of security policy need to understand the realities of the business, and look at security as an enabler of business processes rather than a digital stop sign.