Even the best corporate security policies can come unraveled if they're not actively implemented and enforced. Results of a new survey show that when it comes to one key aspect of infosec policies -- file sharing -- many enterprises fail to educate end users on what their policies cover, or worse, that they even exist.
Employees think they're safer than they really are.
Bob Janacek, co-founder and CTO, DataMotion
DataMotion Inc., a provider of email encryption and file-transfer security services, surveyed more than 400 IT and business professionals regarding their corporate file-transfer habits. The results show that, on the whole, IT management does not clearly communicate or enforce security policies to non-IT users, likely paving the way for risky behavior on the part of those users.
There was a particularly large chasm between policy and practice regarding the use of consumer cloud file-transfer services such as Dropbox, for example. Over 50% of IT managers indicated their organizations ban such services, but only 27.25% of non-IT respondents said those services are banned where they work. Dropbox and other cloud providers have been dinged for lacking security controls in the past, hence it's widely believed among security pros that employees who use those services may be unwittingly putting sensitive corporate data at risk.
The survey also highlighted widespread confusion over bring your own device (BYOD) policies. More than 56% of IT respondents claimed to have a BYOD policy in place, but three out of every four non-IT users indicated they aren't subjected to security guidance on mobile devices.
Though 59% of IT managers claimed to be aggressively enforcing a secure file-transfer policy, the message, according to DataMotion, is clearly not reaching end users.
"The non-IT employees felt a lot safer to freewheel and conduct business in whatever way they saw necessary, thinking that their ecosystem was going to keep them secure," said Bob Janacek, co-founder and chief technology officer of Morristown, N.J.-based DataMotion. "Employees think they're safer than they really are."
Though IT teams may be quick to blame end users for purposefully ignoring security policies, Janacek said the average user is typically only measured on the work they complete. If a file is too big for a user to email securely, and if opening a help desk ticket to remedy the situation takes too long, many will simply do whatever it takes to complete the task, whether that be through the use of personal email services or cloud providers.
Average non-IT employees also tend to have more confidence in the security of their personal ecosystem-- thanks to incomplete media reports -- Janacek said. He pointed to press releases around the recent announcement that Yahoo would use SSL encryption for its personal webmail interface. What those reports left out, according to Janacek, was the rest of the route an email must traverse, none of which is protected by SSL.
DataMotion's survey points to this false sense of confidence, with nearly two-thirds of non-IT users responding that they would be "very confident" their organization would pass a compliance audit. In contrast, only less than half of IT managers shared that same level of assuredness.
Instead of assigning blame to end users, Janacek said he wants IT managers to provide the tools necessary for employees to securely perform their job functions. That starts by offering ongoing education on security risks and the policies that are in place to protect the organization, but he said evangelizing alone won't be enough.
Janacek emphasized that IT managers must take ease of use into account when purchasing and implementing security products. For example, he said many mobile email encryption providers require users to exit their native email applications and go through a different mobile app or skin to send an encrypted message. Janacek said that's the completely wrong way to go about implementing security, and that most end users would send messages unencrypted rather than jump through technological hoops to perform the task securely.
"The IT security vendor has to interface through the device the way it was meant to be used, and not cause a different workflow to access their security," Janacek said. "I think in all the categories of technology products, if a security system is difficult to use, the end users will find a way around it to get their jobs done. Security will be more quickly abandoned than just about any category I can think of.
"That ease of use is so paramount," Janacek added, "but a lot of times, it's just overlooked."