Your staff hates security processes. Of course, this isn’t something we didn’t already know. Antivirus software slows down their machines, and remembering zillions of passwords is a hassle. VPN software is often kludgy and most every other security process we ask employees to do gets in the way of their being able to do their jobs more easily. At least that’s the way they see it.
This shouldn’t be a surprise to anyone, but a recent survey from security firm Biscom showed that employees really, really, really do not like having to follow security policies.
The survey questioned more than 600 employees — from associates to senior executives — at U.S. companies with both data security policies and security tools in place. The companies included industries that are often heavily regulated, such as healthcare and financial services.
The survey respondents stated that their organizations provide secure ways to send and share information, but the results show that the respondents don’t seem interested in them. Consider this: 95 percent of respondents said that their organization provides tools to secure information, 85 percent said that there are policies in place for sharing information and 88 percent said their company even trains employees how to share information securely.
A full 78 percent of respondents said that they do understand and agree with their organization’s security policies. That’s a good start, but things got ugly from there. A majority of survey respondents (74 percent) said that they do share information insecurely with their internal colleagues as well as with people outside the organization (60 percent).
Why would they overshare like this? Complexity. When they decide to skip security policies or tools it’s because of the hassle. Respondents cited complexity as the biggest reason why they shunned using security tools and working within compliance policies.
There’s an old adage in security that convenience trumps security. These results show that there’s a lot of truth to that. The takeaway for security professionals is that security and compliance policies have to be built integrally into staff workflow or it’s highly likely it will be ignored and go undone.
It is largely unstructured data that employees are handling so insecurely — Word documents, presentations, Excel spreadsheets, financial data and media files that can all contain highly sensitive and regulated information. In fact, 49 percent of respondents admitted to insecurely sharing highly regulated data such as medical or financial information. Other types of information shared improperly include strategy documents or presentations (35 percent) and intellectual property like source code or patent filings (29 percent).
What would cause respondents to change their careless ways?
Monitoring. The survey revealed that 80 percent of respondents would change their behavior if IT monitored their activity in real time and if IT was notified of suspicious activity.
That’s certainly one way to do it. Monitor, or try to monitor, every click of every staff member and end-user. Or, organizations can build secure workflows and ways for everyone to collaborate within policy.
I know where I’d rather work.
*** This is a Security Bloggers Network syndicated blog from Cybersecurity Matters – DXC Blogs authored by Cybersecurity Matters. Read the original post at: https://blogs.dxc.technology/2018/06/19/employees-remain-obstacle-to-security/