Employees consistently flouting security policies
Written by staff reporter
The majority of IT decision makers believe their employees regularly circumvent company security policies. Despite the fact that over half of those surveyed have invested in safeguards to protect their businesses against cyber threats in the past 12 months, careless employee behaviour could be leaving many organisations exposed to risks.
The findings are part of Databarracks’ sixth Data Health Check report, which surveyed over 350 IT decision makers in the UK.
When asked how often they thought their employees flout security polices (such as taking company data offsite, fabricating or omitting information on sign-in sheets and keeping written records of passwords) 61% estimated their workforce side-step such practices at least once a month, with around a third (28%) saying it’s daily or more.
These results can be considered in contrast to other findings from the report; over half (59%) have invested in safeguards in the past 12 months to protect against cyber threats like malware, viruses and phishing attacks. However, if employees are commonly circumventing the security practices put in place by company IT departments, these protocols may not be as effective as hoped.
Technical operations manager at Databarracks, Oscar Arean, said the results of the survey were pretty damning, with IT managers seriously lacking confidence in their employees’ commitment to their security plans. “If they’re correct, then their businesses will be left exposed to cyber threats, as well as other more traditional threats such as social engineering. It may be no coincidence that two thirds (66%) of those we questioned had been affected by a cyber-threat in the past 12 months. No amount of investment in cyber security policies can make up for poor employee habits; IT managers need to address this issue if they are to secure their organisations from malicious threats,” he said.
Arean suggests communicating cyber risks more clearly throughout the organisation and opening a conversation with employees to improve the plans in place: “Employees that flout security policies are unlikely to be purposely trying to threaten the business – they either don’t know the consequences of their actions or they feel too restricted by the policies that are in place.
“Despite the rise in ransomware, there is a blind ignorance to security in the sense that people just don't realise the consequences of the actions they take. Awareness training is used to address security concerns but is typically only done yearly or as part of the initial induction. In order for it to be effective, it needs to be carried out much more regularly.”