Survey Reveals Employees Evade and Ignore Network Security Policies
Ponemon Institute and IronKey Announce Results of a Survey Showing Non-Compliant Behavior in the Workplace Puts Organizations at Risk
- The majority of respondents admit to serious non-compliant workplace behaviors that place their companies at risk. Such behaviors include the insecure use of USB memory sticks, use of Web-based email, sharing passwords, turning off security settings and more.
- According to the study, 69 percent of employees surveyed said that they copy confidential or sensitive business information onto USB devices, while only 13 percent of respondents said their companies have a policy that allows this, showing a 48 percent non-compliance rate.
- 61 percent admitted to copying confidential or sensitive business information onto USB devices, and then transferring the information to another computer that is not part of the corporate network.
- Over half of the respondents said that they download personal Internet software to their company computers, which significantly increases the risk of introducing viruses, worms and other malware into an organization’s network.
- 58 percent of the respondents said that their companies do not provide adequate training about compliance with data security policies, and about the same number said the data security policies are ineffective.
- Approximately half of the survey participants said their corporate data security policies are largely ignored by employees and management, and that the policies are too complex to understand.
- Compared with a similar study conducted by Ponemon Institute in 2007, the rate of non-compliant employee behavior appears to be getting worse over time.
Key Survey Scenarios: Six Survey Experience Rates Evidence of Non- 2007 Study Scenarios Compliance with Experience Corporate Data Rates Security Policy 1. Copying 69% said they 87% believe company 51% said they confidential do it policy forbids it did it information onto USB memory stick 2. Accessing Web- 52% said they 74% believe there 45% said they based email do it is no stated did it accounts from policy that workplace computer forbids it 3. Losing a 43% said they 72% said they 39% said they portable data- lost or did not report lost or bearing device misplaced a a lost or misplaced portable data- missing a portable bearing device device data-bearing immediately device 4. Downloading 53% said they 38% said the 45% said they personal software do it company policy did it onto company forbids it assigned computer 6. Turning off 21% said they 71% believe 17% said they security settings do it there is no did it or firewall on stated policy workplace computer that forbids it 7. Sharing 47% said they 71% believe 46% said they passwords with do it that company did it coworkers policy forbids it
“As mobile devices become more and more prevalent in the workplace, our research shows that policies and enforcement are not keeping up with the increased risk of a data breach,” said Dr.
“This research highlights an urgent need for organizations to implement and enforce comprehensive policies for mitigating the risks associated with the storage and mobility of proprietary data,” said
Trends in Insider Compliance with Data Security Policies: Employees Evade and Ignore Security Policies is a survey of U.S.-based end-users of corporate information technologies. Results were derived from 967 responses from a sampling frame of 17,021 (5.7% response rate).
- Full Study Link: https://www.ironkey.com/ponemon
- Webinar Link: https://www.ironkey.com/webinars/ponemon/files/lobby.html
Dave Jevans, IronKey CEO Blog: http://blog.ironkey.com/
- The Ponemon Institute: http://www.ponemon.org/index.php
- Dr. Ponemon Blog: http://www.ponemon.org/blog/dr-ponemons-blog
About the Ponemon Institute
The Ponemon Institute(C) is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.
IronKey’s award-winning products and services combine the world’s most secure flash drive with the world’s most powerful USB management software. IronKey’s USB memory sticks bring the power of authentication, encryption, identity management and privacy to businesses and consumers in 23 countries. IronKey’s management software and associated services allow enterprises of all sizes, government agencies, the military, and other organizations to take back control of the mobile data that has been leaking out of their organizations due to the uncontrolled proliferation of USB drives. With IronKey, organizations centrally administer, remotely manage, and enforce policies on thousands of devices located anywhere in the world. Thousands of customers, including over 50 Fortune 500 companies, government agencies and military organizations that handle some of the most sensitive security information in the world trust IronKey to protect business critical data. All IronKey products are FIPS 140-2, Level 2 validated. For more information, please visit www.IronKey.com.