Security policies? Workers ignore them, survey says

Computerworld - It's one thing to have a companywide information security policy in place. But it's a whole different ballgame to get employees to actually follow the policies -- even those that are IT types.

A startling number of technology professionals often knowingly ignore security policies or break them because they are unaware of them, according to a survey of more than 890 IT professionals by the Ponemon Institute LLC.

"The key take-away is that information security policies are not being read, or if they are being read, are not being understood; if understood, people may not be following it," said Larry Ponemon, chairman of the Elk Rapids, Mich.-based privacy think tank.

More than half of the respondents in the Ponemon survey released this week said they had personally copied confidential company information into USB memory sticks, though more than 87% admitted that company policy forbids them from doing so. In addition, 57% believe others in their organization routinely use memory sticks to store and transport sensitive or confidential company data. Among the reasons cited for noncompliance were lack of policy enforcement and convenience.

Similarly, about 46% said they routinely share passwords with colleagues, even though two-thirds of the respondents said their company's security policies prohibit them from doing so.

In some cases, the violations appear to happen because employees are unsure about company policy. For instance, 33% of survey respondents said they sent workplace documents home as e-mail attachments. Nearly half the sample didn't know whether that practice constitutes a breach of policy. In the same vein, eight out of 10 of the IT professionals in the survey said they were unsure whether turning off network firewalls is a policy breach -- which may explain why 17% admitted to having done so.

Sometimes, however, insider security breaches result from a lack of clear corporate guidelines.

For instance, despite widespread concerns about data leaks resulting from insider abuse or negligence, 60% of respondents said their companies have no stated policy forbidding the installation of personal software on company computers. Nearly half admitted to downloading such software, including peer-to-peer (P2P) file-sharing tools on company hardware. More than seven in 10 said they did not immediately report lost or missing devices containing company data.

"The reason why these things are happening [is] because compliance is not enforced," Ponemon said. While more IT managers may realize the need for companywide security policies, "people are just not paying attention to enforcement. There is no auditing [for compliance]."

The Ponemon report is another reminder of the information security weaknesses that analysts have said often exist inside corporations. Though companies have for years focused their efforts on securing networks against external attacks, fewer have focused on accidental and malicious data leaks from inside. That's one reason why, despite the hype surrounding external hackers, many security managers are more worried about internal compromises.