Survey Reveals Employees Evade and Ignore Network Security Policies

June 10, 2009

Ponemon Institute and IronKey Announce Results of a Survey Showing Non-Compliant Behavior in the Workplace Puts Organizations at Risk

TRAVERSE CITY, Mich. and LOS ALTOS, Calif., June 10 /PRNewswire/ — There is a general lack of awareness and enforcement of security policies and procedures in companies today, according to new research announced by privacy and information management research firm, Ponemon Institute. The report, Trends in Insider Compliance with Data Security Policies: Employees Evade and Ignore Security Policies, was sponsored by IronKey, maker of the world’s most secure flash drive, and examines the challenges facing IT professionals in securing confidential data.


  • The majority of respondents admit to serious non-compliant workplace behaviors that place their companies at risk. Such behaviors include the insecure use of USB memory sticks, use of Web-based email, sharing passwords, turning off security settings and more.
  • According to the study, 69 percent of employees surveyed said that they copy confidential or sensitive business information onto USB devices, while only 13 percent of respondents said their companies have a policy that allows this, showing a 48 percent non-compliance rate.
  • 61 percent admitted to copying confidential or sensitive business information onto USB devices, and then transferring the information to another computer that is not part of the corporate network.
  • Over half of the respondents said that they download personal Internet software to their company computers, which significantly increases the risk of introducing viruses, worms and other malware into an organization’s network.
  • 58 percent of the respondents said that their companies do not provide adequate training about compliance with data security policies, and about the same number said the data security policies are ineffective.
  • Approximately half of the survey participants said their corporate data security policies are largely ignored by employees and management, and that the policies are too complex to understand.
  • Compared with a similar study conducted by Ponemon Institute in 2007, the rate of non-compliant employee behavior appears to be getting worse over time.

    Key Survey Scenarios: 

    Six Survey          Experience Rates  Evidence of Non-     2007 Study
    Scenarios                             Compliance with      Experience
                                          Corporate Data       Rates
                                          Security Policy

    1. Copying           69% said they    87% believe company  51% said they
    confidential         do it            policy forbids it    did it
    information onto
    USB memory

    2. Accessing Web-    52% said they    74% believe there    45% said they
    based email          do it            is no stated         did it
    accounts from                         policy that
    workplace computer                    forbids it

    3. Losing a          43% said they    72% said they        39% said they
    portable data-       lost or          did not report       lost or
    bearing device       misplaced a      a lost or            misplaced
                         portable data-   missing              a portable
                         bearing device   device               data-bearing
                                          immediately          device

    4. Downloading       53% said they    38% said the         45% said they
    personal software    do it            company policy       did it
    onto company                          forbids it
    assigned computer

    6. Turning off       21% said they    71% believe          17% said they
    security settings    do it            there is no          did it
    or firewall on                        stated policy
    workplace computer                    that forbids it

    7. Sharing           47% said they    71% believe          46% said they
    passwords with       do it            that company         did it
    coworkers                             policy forbids it

Supporting Quotes:

“As mobile devices become more and more prevalent in the workplace, our research shows that policies and enforcement are not keeping up with the increased risk of a data breach,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Employees are under tremendous pressure to be highly mobile and productive, but they aren’t being properly educated on the risks to data integrity; they are taking data outside of the organizational structure without complete understanding or awareness of the serious implications of a breach or misuse of sensitive information.”

“This research highlights an urgent need for organizations to implement and enforce comprehensive policies for mitigating the risks associated with the storage and mobility of proprietary data,” said John Jefferies, vice president of marketing at IronKey. “While organizations have made improvements in some areas, this study shows the lack of enforcement of data security policies, the need to automate enforcement where possible, and responsibility for organizations to invest in educating and training employees to help them understand the importance of compliance.”


Trends in Insider Compliance with Data Security Policies: Employees Evade and Ignore Security Policies is a survey of U.S.-based end-users of corporate information technologies. Results were derived from 967 responses from a sampling frame of 17,021 (5.7% response rate).

Supporting Resources:

About the Ponemon Institute

The Ponemon Institute(C) is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About IronKey

IronKey’s award-winning products and services combine the world’s most secure flash drive with the world’s most powerful USB management software. IronKey’s USB memory sticks bring the power of authentication, encryption, identity management and privacy to businesses and consumers in 23 countries. IronKey’s management software and associated services allow enterprises of all sizes, government agencies, the military, and other organizations to take back control of the mobile data that has been leaking out of their organizations due to the uncontrolled proliferation of USB drives. With IronKey, organizations centrally administer, remotely manage, and enforce policies on thousands of devices located anywhere in the world. Thousands of customers, including over 50 Fortune 500 companies, government agencies and military organizations that handle some of the most sensitive security information in the world trust IronKey to protect business critical data. All IronKey products are FIPS 140-2, Level 2 validated. For more information, please visit www.IronKey.com.


Source: newswire

comments powered by Disqus