Research Identifies Gap in Policy Awareness of Employees, Shows 1 in 4 Companies Lacks Security PoliciesOctober 28, 2008
SAN JOSE, Calif. - October 28, 2008 - Cisco today released a second set of findings from a global study on data leakage, revealing the prevalence and effectiveness of corporate security policies within companies and the reasons employees break or comply with them. The study enables information technology teams in various parts of the world to understand employee risk factors so they can effectively tailor policies that fit the reality of what their users need to do their jobs.
The latest security findings follow the first wave of research announced last month on common employee data leakage risks and mistakes around the world (http://newsroom.cisco.com/dlls/2008/prod_102108.html). The findings on corporate security policies stem from surveys of more than 2,000 employees and IT professionals in 10 countries: the United States, the United Kingdom, France, Germany, Italy, Japan, China, India, Australia and Brazil. Conducted by InsightExpress, a U.S.-based market research firm, the security study was commissioned by Cisco at a time when data loss (www.cisco.com/go/dlp) is one of the most prominent concerns of businesses. As lines blur between work and home, and as employees use collaborative applications and mobile devices, the role that security policies play in protecting sensitive data becomes increasingly critical.
"This study reinforces the need to revisit corporate security policy and how that policy is communicated", said John N. Stewart, chief security officer for Cisco. "When employees believe that security policy is unfair, in the way of them doing their jobs and don't grasp the 'why', then policies quickly lose their efficacy. Too often we write policies as rules, not as reasons, and if brought together with awareness, education and communication, then it unmasks why policies are necessary, critical and help. By engaging with employees and understanding what they need to do their jobs, we can develop realistic policies that work more cohesively and effectively with corporate security, ultimately resulting in a more secure environment."
The Findings: A Matter of Policy
Fortunately, the research found that a majority of businesses (77 percent) have security policies in place. However, for the one business in four that does not, the trends of mobility, collaboration and workforces without borders present a more urgent concern as those businesses attempt to set official policies for how and when to access corporate data, applications and networks. The absence of security policies is most prevalent in Japan (39 percent) and the United Kingdom (29 percent).
But even when companies have security policies, the research reveals that employees often defy or ignore them. More than half of the employees surveyed admitted that they do not always adhere to corporate security polices. Of all the countries, France (84 percent) has the most employees who admitted defying policies, whether rarely or routinely. In India, one in 10 employees (11 percent) admitted never or hardly ever abiding by corporate security policies. Several factors influence employees' decisions to adhere to or break corporate security policies:
- Awareness: One of the most noteworthy findings was the gap between the number of employees and IT professionals who are aware of policies. Depending on the country, the number of IT professionals who knew a policy existed was 20 to 30 percent higher than the number of employees. The largest gaps (31 percent) were in the United States, Brazil and Italy. This finding raises the question of if and how IT communicates policies to employees.
- Communication: Eleven percent of employees said IT never communicates or educates them on security policies. This finding is especially prevalent in Europe, where the United Kingdom (25 percent) and France (20 percent) featured the greatest number of employees making this claim. When IT communicates policies to employees, they often use non-verbal and indirect vehicles - email, messages during computer login processes, and voicemail.
- Updates: Three of four IT professionals (77 percent) believed their policies require more frequent updates, while half of the employees (47 percent) echoed that sentiment. China (91 percent) and India's (89 percent) IT respondents were the most vocal. When matched with the employee behavior findings in the first set of research, the need for a corporate security structure is clearly greater in countries with burgeoning economies and growing workforces that are connecting to Internet-based networks for the first time.
- Fairness: The majority of employees believe their companies' policies are unfair. This is the case in eight of 10 countries; only employees in Germany and the United States did not agree. As businesses become more collaborative, spurred by the adoption of interactive Web 2.0 applications, video and mobile devices, the desire to protect employees as they embrace new technologies without frustrating them with rigid policies becomes a diplomatic balancing act for IT departments.
- Non-compliance: One of the most significant findings was the difference in employee and IT perspectives on policy non-compliance. According to IT, employees defy policies for a variety of reasons, from failing to grasp the magnitude of security risks to apathy. However, employees said the top reason for non-compliance is their belief that policies do not align with the reality of what they need to do their jobs. More than two of five employees (42 percent) made this claim globally. In Germany, even though the majority of employees felt their companies' policies were fair, more than half of them (55 percent) said they would break them to complete their jobs.
"This decision employees make to either adhere to policies or sidestep them to complete their jobs presents a noteworthy challenge to IT," said Marie Hattar, vice president of Network Systems and Security Solutions for Cisco. "IT needs to reshape security policies to meet the real needs of businesses and employees, or they risk a policy breakdown and a greater risk for data loss and breaches."
According to the research, breaches affect more than just companies in question. One of the more sobering findings is that of the IT respondents who dealt with employee policy violations, one in five reported that incidents resulted in lost customer data.
Today, Cisco security executives will present the study's findings in greater detail and share their approach to establishing and communicating corporate security policies. The company will host an Internet TV broadcast with media and industry analysts from 8 to 9 a.m. PDT (to attend: http://tools.cisco.com/cmn/jsp/index.jsp?id=75955).