Security policy being bypassed by employees, survey finds

By Robert Westervelt, News Editor 14 Oct 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Many companies have security policies and procedures in place, but the results of a recent survey found that employees are bypassing many of them, bringing sensitive data home with very few protections.

Companies are encouraging employees to leave the office with sensitive information, the trick is how you put appropriate security controls in place so that's safe. Sean Kline, director of product management, RSA Security Inc., the Security Division of EMC Corp.

In many cases, companies are struggling to find the right balance between strict security requirements and employee productivity as more employees work at home. Encryption and other security technologies are available, but some firms are accepting the risk and some may be unaware that end users are bringing customer data, personally identifiable information or company financial data home with them on laptops, smartphones and Universal Serial Bus (USB) flash drives.

RSA Security Inc., the Security Division of EMC Corp., conducted the survey, polling 417 individuals at separate conferences in April, May and June. 46% work in the financial services sector, 46% are IT professionals and 54% work in companies with more than 5,000 employees.

The survey found that 94% were familiar with their organizations' IT security policies, yet 53% felt the need to work around security policies in order to get their work done.

"There is a natural trade off between security, total cost of ownership and ease of use," said Sean Kline, director of product management in the identity access assurance group at RSA. "When you don't have a good balance between these things for particular populations of an organization, there's going to be a disharmony and they are going to try to resolve that by going around security."

Almost half of all respondents and 60% of those surveyed based in the U.S. said they frequently leave work with a laptop or mobile device which holds sensitive information related to their job. Although few reported losing a device holding sensitive information, the information is more than likely not encrypted, Kline said.

SearchSecurity radio:

"Companies are encouraging employees to leave the office with sensitive information, the trick is how you put appropriate security controls in place so that's safe," he said.

Kline said some firms are using encryption and even business data rights management technologies to control access to business documents and ensure they can be rendered useless in the hands of a rogue employee or outsider. Other firms appear to be choosing to accept the risk instead of adding costly security controls.

Employees also sometimes send business documents to their personal email address so they can access them from home. Seventy-nine percent of those surveyed said they sometimes or frequently access business documents using their personal email address.

Security training and education is not being neglected at many organizations. Nearly 70% of those surveyed said they receive training about the importance of following security best practices.

Kline said there are best practices available to help companies find the right balance between security and productivity. The International Organization for Standardization (ISO) has a set of best practices in ISO 27002 that can aid companies in implementing or improving their information security programs, Kline said.

"It's important to first take an assessment of which information and which transactions around that information are of the highest value and then an assessment of what potential threats there are within the organization and then create policy around the risk of an event occurring," Kline said. "If you just jump to putting controls in place, that's where you have a problem."

You also risk IT security being seen as an obstacle to productivity. A study, done by research firm IDC on behalf of RSA, the Security Division of EMC, found that the majority of senior managers believe IT security risk is the largest single obstacle to innovation in their businesses.

Tags: Enterprise Risk Management: Metrics and Assessments,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Risk Management: Metrics and Assessments How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Enterprise Risk Management: Metrics and Assessments Research Security Awareness Training and Internal Threats Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Monitoring program data and internal controls for risk management Software security threats and employee awareness training Twitter risks, Facebook threats trouble security pros Social engineering training could disrupt botnet growth How to write a risk methodology that blends business, security needs

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary