A startling number of technology professionals often knowingly ignore security policies or break them because they are unaware of them, according to a survey of more than 890 IT professionals by the Ponemon Institute.
The survey findings, coming after the UK’s HMRC loss of 25m personal records, show that it is not just cost cutting or poor understanding of security policies by low grade workers that threaten organisation’s data.
"The key takeaway is that information security policies are not being read, or – if they are being read – are not being understood, or if understood, people may not be following it," said Larry Ponemon, chairman of the US-based privacy think tank.
More than half of the respondents in the Ponemon survey said they had personally copied confidential company information into USB memory sticks, though more than 87% admitted that company policy forbids them from doing so.
In addition, 57% believe others in their organisation routinely use memory sticks to store and transport sensitive or confidential company data. Among the reasons cited for non-compliance were lack of policy enforcement and convenience.
Similarly, about 46% said they routinely share passwords with colleagues, even though a two-thirds majority of the respondents said their company's security policies prohibit them from doing so.
In some cases, the violations appear to happen because employees are unsure about company policy. For instance, 33% of survey respondents said they sent workplace documents home as e-mail attachments. Nearly half the sample didn't know whether that practice constitutes a breach of policy.
In the same vein, eight out of 10 of the IT professionals in the survey said they were unsure whether turning off network firewalls is a policy breach - which may explain why 17% admitted to having done so.
Sometimes, however, insider security breaches result from a lack of clear corporate guidelines.
For instance, despite widespread concerns about data leaks resulting from insider abuse or negligence, 60% of respondents said their companies have no stated policy forbidding the installation of personal software on company computers.
Nearly half admitted to downloading such software including peer-to-peer (P2P) file-sharing tools on company hardware. More than seven in 10 said they did not immediately report lost or missing devices containing company data.
"The reason why these thing are happening [is] because compliance is not enforced," Ponemon said. While more IT managers may realise the need for company-wide security policies, "people are just not paying attention to enforcement. There is no auditing" for compliance.
The Ponemon report is another reminder of the information security weaknesses that analysts have said often exist inside corporations. Though companies have for years focused their efforts on securing networks against external attacks, fewer have focused on accidental and malicious data leaks from inside. That's one reason why, despite the hype surrounding external hackers, many security managers are more worried about internal compromises.