Employees continue to ignore security policies, notes another survey from RSA. Over 50% of employees work around existing IT security policies in order to get their work done.

The insider threat survey, conducted among 417 industry event attendees by RSA, polled workers across a range of industries, heavier in financial and technology sectors. Nearly half of respondents worked in IT. The survey indicates that, despite awareness of IT policies, convenience trumps security.

Highlights from the survey:

• 94% are familiar with their organizations’ IT security policies
• 53% have felt the need to work around IT security policies in order to get their work done
• 64% frequently or sometimes send work documents to their personal email address in order to access and work on them from home.
• 15% have held a door open for someone at work that they did not recognize
• 89% frequently or sometimes conduct business remotely over a virtual private network (VPN) or webmail
• 58% frequently or sometimes access their work email via a public computer / 65% via a public wireless hotspot
• One in 10 has lost a laptop, smartphone and/or USB flash drive with corporate information on it
• 79% frequently or sometimes leave their workplace carrying a data device containing sensitive information related to their jobs
• 43% had switched jobs internally and still had access to accounts/resources which they no longer needed
• 37% have stumbled into an area of their corporate network to which they believe they should not have had access

As you can tell, may of the results mirror the study from Cisco that came out earlier in October. Basically, the lesson to take from this is to rethink the “insider threat” as not just malicious actions taken by employees, but also the “innocent” rule breaking that they do day-to-day in order to get stuff done.

This type of rule breaking is a little complex, as it may be due to a lack of clear instructions. Although employees may be familiar with IT security policies, those policies may be vague in some areas, or employees may receive mixed messages by overlapping policies or a mismatch of policy and procedures. For example, if certain programs and websites are, by policy, not allowed, they should be, by procedure, blocked. That’s not always the case.

As in many cases with security policies, it comes down to training and enforcement. Train all new employees well, but keep on training existing employees on an ongoing basis. Everyone could use the refresher. And enforce the rules - employees should know what the potential outcomes are of crossing the line at the corporate level (risk of data breach) and the personal level (being reprimanded for going against policy, regardless of outcome).

Technology solutions like Absolute’s asset management software can help you identify if users are operating outside corporate policies.

Via CSO Online ; image: mconnors @morguefile