Survey: Employees work around IT policies to get work done

Results of survey show that employees' behavior leaves sensitive company data at risk

"Data loss prevention is a key concern for those in charge of today's corporate networks and information assets. However, with the sheer portability of information that we have today, it is essential that that data is governed not by the whims and day-to-day actions of your employees, but rather by pre-determined policy and subsequent controls," said Tom Corn , Vice President, Data Security, at RSA. "In this way, organizations can prevent sensitive information from being written to a USB flash drive in the first place - or at least mandate that it is encrypted."

Making sure the right users have access to the right information

Organizations are dynamic and individuals' roles often change within the organization - be it an employee's internal move to a different job function or an outside consultant who moves on after the completion of an engagement. However, the governance of the corporate network does not always stay in lockstep with these moves.

Of all respondents polled:

Access to highly sensitive data should be granted only to those who need it, and in some job functions access to only very specific areas within the information infrastructure are necessary. Organizations can manage large numbers of users while enforcing a centralized role-based security policy that ensures compliance, protects enterprise resources from unauthorized access and makes it easier for legitimate users to do their jobs.

"The survey reveals that it is as important for businesses to diligently enforce information security controls and policies focused on protecting the everyday actions of well-meaning, innocent insiders as it is to enforce those designed to defend against those with malicious intent," said Christopher Young , Senior Vice President at RSA. "It remains clear that businesses need to take a layered approach to security to help mitigate the insider threat and keep data safe. As such, it is important for any organization to know who has access to your information; control access through policy; monitor for suspicious activity to verify user identities; create and enforce data security policies and controls; and transform real-time event data into actionable compliance and security intelligence."

For a report of the full 2008 survey findings and recommendations, please view The 2008 Insider Threat Survey: Workers Admit to Everyday Behavior That Puts Sensitive Information at Risk


The 2008 Insider Threat Survey by RSA, The Security Division of EMC, was taken by 417 attendees at three industry events in three countries within North America and Latin America :

RSA's November 2007 Insider Threat Survey respondents were government or office workers polled on the streets in Boston and Washington D.C. Both the 2007 and 2008 survey respondents were employees, contractors, partners, visitors and consultants who have physical and/or logical access to organizational assets, and each survey contained the same questions.

About RSA

RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world's leading organizations succeed by solving their most complex and sensitive security challenges. RSA's information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle - no matter where it moves, who accesses it or how it is used.

RSA offers industry-leading solutions in identity assurance & access control, data loss prevention, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit and