IT managers believe that the weakest link in information security is employees flouting security policies
- Published: Thursday, 10 November 2016 10:30
A new study reveals that nearly two thirds (61 percent) of IT decision makers believe their employees regularly circumvent company security policies. Despite the fact that over half of those surveyed have invested in safeguards to protect their businesses against cyber threats in the past 12 months, careless employee behaviour could be leaving many organizations exposed to risks.
The findings are part of Databarracks’ sixth Data Health Check report, which surveyed over 350 IT decision makers in the UK.
When asked how often they thought their employees flout security polices (such as taking company data offsite, fabricating or omitting information on sign-in sheets and keeping written records of passwords) 61 percent estimated their workforce side-step such practices at least once a month, with around a third (28 percent) saying it’s daily or more.
These results can be considered in contrast to other findings from the report; over half (59 percent) have invested in safeguards in the past 12 months to protect against cyber threats like malware, viruses and phishing attacks. However, if employees are commonly circumventing the security practices put in place by company IT departments, these protocols may not be as effective as hoped.
Oscar Arean, technical operations manager at Databarracks, commented on the results:
“We expanded the remit of the Data Health Check this year to look at how IT departments approach cyber security, and how their users experience (and respond to) their approaches. The results have been pretty damning, with IT managers seriously lacking confidence in their employees’ commitment to their security plans. If they’re correct, then their businesses will be left exposed to cyber threats, as well as other more traditional threats such as social engineering. It may be no coincidence that two thirds (66 percent) of those we questioned had been affected by a cyber threat in the past 12 months. No amount of investment in cyber security policies can make up for poor employee habits; IT managers need to address this issue if they are to secure their organisations from malicious threats.”
Arean suggests communicating cyber risks more clearly throughout the organization and opening a conversation with employees to improve the plans in place: “Employees that flout security policies are unlikely to be purposely trying to threaten the business – they either don’t know the consequences of their actions or they feel too restricted by the policies that are in place.
“Despite the rise in ransomware, there is a blind ignorance to security in the sense that people just don't realise the consequences of the actions they take. Awareness training is used to address security concerns but is typically only done yearly or as part of the initial induction. In order for it to be effective, it needs to be carried out much more regularly.
“A lot of IT departments handle incidents in the background with only key senior individuals being informed, but if threats aren't communicated internally to employees then they will carry on as they always have. Employees are less risk adverse when it comes to the working environment because there’s a culture that it's someone else's problem if it goes wrong, where in fact it's everyone's problem. In some cases, organizations aren't able to recover from these threats which not only puts the business at risk but also the position of all the employees within it.
“IT security requires a more open dialogue between the IT department and the rest of the business. Find out where and how security processes are too restrictive or unintuitive and work on improving your employees’ experience with them. How tight are your controls and do they need tweaking? Security is not just a tick box exercise anymore; it's a concern for everyone. Asking these kinds of questions to the right people will go a long way to improve adherence to IT security practices,” Arean concluded.More details