Survey: Employees work around IT policies to get work done

Results of survey show that employees' behavior leaves sensitive company data at risk


BEDFORD, Mass. , Oct. 13 /PRNewswire/ -- RSA, The Security Division of EMC (NYSE: EMC), today announced the findings of its latest insider threat survey, conducted among attendees at industry events in North America and Latin America in the spring and summer of 2008.

The survey polled 417 individuals - including delegates at the RSA Conference - who confessed to their work-related security behaviors and attitudes. The survey respondents work across a range of industries, with a heavy concentration within the financial and technology sectors. Almost half of the respondents' job functions were in information technology. During this era of well-publicized data breaches, the results indicate that even those who should know better are not exempt from the everyday behaviors that can trigger significant risk to sensitive business information.

Of the respondents polled:

People do as they will, regardless of awareness of best security practices

The results of the survey show that employees are well aware of the restrictions placed upon them by their corporate IT departments, yet many often work around these controls in order to get their jobs done in a convenient and timely manner.

Of all respondents polled:

When trusted insiders work around security policies, sensitive data can be exposed that places businesses and their customers - often consumers - at unnecessary risk. Organizations can greatly mitigate this risk by developing information-centric security policies that acknowledge and align with the needs and realities of the business. This can help guard the integrity and confidentiality of information throughout its lifecycle--no matter where it moves, who accesses it or how it is used. In tandem, organizations should build-in more convenient, invisible, and layered security technologies that can reduce the factors that cause employees to break the rules and defeat their own company's security policies.

Remote access to sensitive information: random and unprotected

In a mobile world, the survey affirms that employees depend on remote access to corporate information when outside the office, whether at home or in public places.

Of all respondents polled:

Remote access to sensitive data requires stronger forms of authentication than a simple, static and vulnerable combination of a username and password. To help solve this problem, organizations can maintain the flexibility and convenience of remote access to VPNs and webmail by providing one-time passwords via a hardware token, or a software token that is easily accessible on mobile devices such as BlackBerry(R) smartphones.

Information can be a moving target - and portable data is regularly mishandled

The survey findings show that, in order for employees to be most productive, information has to be free to move. However, employee mobility increases the collective responsibility of protecting the information that is carried outside of the organization.

Of the respondents polled:

While mobility is essential to business agility, unprotected information - wherever it is kept or stored - increases risk. A policy-based approach to securing data helps to enable organizations to classify their sensitive data, discover that data across the enterprise, enforce controls, and report and audit to ensure compliance with policy.

This content continues onto the next page...