Most IT staffers ignore security policies
July 7, 2009 by Sam NarisiPosted in: In this week's e-newsletter, Latest News & Views, Regulations & Compliance
It’s not news that many employees are ignoring IT security policies. But who’s doing it might surprise you.
That’s right it’s the IT employees themselves, according to a recent Ponemon survey.
For example, 69% of staffers admitted to copying confidential company data onto portable USB drives, even though 87% said their employer has a policy against it, according to the survey of 967 IT pros.
More than half download personal software to their work computers, which greatly increases the risk of bringing viruses onto the company network. Other unsafe behaviors the IT pros admitted to includes:
- downloading info to unsecured smartphones and other devices (61%)
- sharing passwords (47%), and
- misplacing portable drives and not reporting the loss (43%).
All in all, 57% of those surveyed described their companies’ IT policies as “ineffective.”About half said those policies are largely ignored by management and employees throughout the company.
The main problem: a lack of training. More than half (58%) of respondents said their employer doesn’t provide adequate training on how to comply with the rules.
DocuCrunch.com delivers the latest IT and Imaging news once a week to the inboxes of over 200,000 IT and Imaging professionals.
Click here to sign up and start your FREE subscription to DocuCrunch!
Tags: data theft, IT staff, Security
Loading ...
July 9th, 2009 at 10:29 am
IT people are usually tinkerers by nature.
A good way to handle this is to set up a common “lab” area, which nowadays can be in the form of a virtual environment, that the IT folks can use to tinker with new software or procedures. By policy, IT leadership must enforce desktop standards, and the IT folks have to adhere to those standards as well. One of the best arguments for this, is that if the IT staff are not running a standard image, how can they effectively troubleshoot an end-user issue? Meanwhile, the lab can be a sandbox for tinkering.
There needs to be a policy in place against privileged access of confidential information, except in the case that it’s work-related. In the “bad old days” of the early to mid 90′s, there were lots of IT folks, especially at smaller companies, that would go in and read the CEO’s e-mail or other documents, because they figured no one would ever find out. The good news is that Sarbanes-Oxley, GLB, PCI, HIPAA, and a host of other regulatory measures have forced a level of maturity on the IT industry as a whole. A true IT professional would NEVER breach the company’s trust by accessing confidential data without authorization, but having audit measures in place helps “keep the honest people honest”.
Speaking from an IT leadership role, the IT folks need to be informed of the policy, informed of a zero-tolerance disciplinary policy, and FIRED immediately (with immediate termination of access) if they break the policy. There should be a special onboarding process for IT folks, and a yearly general review of departmental policies and procedures.
Many times, IT folks use their personal memory sticks or USB drives to copy data because it’s expedient, not for any other reason. It is a minor investment to purchase small form factor (known as 2.5″) USB hard drives for every IT staffer, which can be reformatted so that it can use Microsoft (EFS) encryption, or purchase a 3rd-party encryption tool. If you give the IT staff effective tools that simplify their job, they will use them, and keep the company’s data safe at the same time.
Sometimes there is a huge disconnect between IT and the rest of the business. Helping every IT staffer understand how the company makes money, their role in the company, and how they contribute to revenue is vital. Helping them understand the value of the data they protect and the role in protecting that data allows people to see the “big picture”. Once IT feels that it has a “stake” in the business (“….and THAT’s how you get your paycheck….”), then IT will be more proactive in practicing security rather than just IMPLEMENTING it, and often they will find innovative ways to help protect the company’s data.
July 9th, 2009 at 12:01 pm
Seems fashionable to blame it on training. Supervisors and managers are the key. The training department can help to develop the knowledge and skill. Application on-the-job and complying with the rules is another matter.
August 28th, 2009 at 6:36 am
I guess they’re too confident that they can outwit hackers and virus. Nice attitude!