Wednesday, October 15, 2008

Security policy being bypassed by employees, survey finds.

Many companies have security policies and procedures in place, but the results of a recent survey found that employees are bypassing many of them, bringing sensitive data home with very few protections.

 In many cases, companies are struggling to find the right balance between strict security requirements and employee productivity as more employees work at home. Encryption and other security technologies are available, but some firms are accepting the risk and some may be unaware that end users are bringing customer data, personally identifiable information or company financial data home with them on laptops, smartphones and Universal Serial Bus (USB) flash drives.

RSA Security Inc., the Security Division of EMC Corp., conducted the survey, polling 417 individuals at separate conferences in April, May and June. 46% work in the financial services sector, 46% are IT professionals and 54% work in companies with more than 5,000 employees.

The survey found that 94% were familiar with their organizations' IT security policies, yet 53% felt the need to work around security policies in order to get their work done.

"There is a natural tradeoff between security, total cost of ownership and ease of use," said Sean Kline, director of product management in the identity access assurance group at RSA. "When you don't have a good balance between these things for particular populations of an organization, there's going to be a disharmony and they are going to try to resolve that by going around security."

Almost half of all respondents and 60% of those surveyed based in the U.S. said they frequently leave work with a laptop or mobile device which holds sensitive information related to their job. Although few reported losing a device holding sensitive information, the information is more than likely not encrypted, Kline said.

"Companies are encouraging employees to leave the office with sensitive information, the trick is how you put appropriate security controls in place so that's safe," he said.

Kline said some firms are using encryption and even business data rights management technologies to control access to business documents and ensure they can be rendered useless in the hands of a rogue employee or outsider. Other firms appear to be choosing to accept the risk instead of adding costly security controls.

Employees also sometimes send business documents to their personal email address so they can access them from home. Seventy-nine percent of those surveyed said they sometimes or frequently access business documents using their personal email address.

Security training and education is not being neglected at many organizations. Nearly 70% of those surveyed said they receive training about the importance of following security best practices.

Kline said there are best practices available to help companies find the right balance between security and productivity. The International Organization for Standardization (ISO) has a set of best practices in ISO 27002 that can aid companies in implementing or improving their information security programs, Kline said.

"It's important to first take an assessment of which information and which transactions around that information are of the highest value and then an assessment of what potential threats there are within the organization and then create policy around the risk of an event occurring," Kline said. "If you just jump to putting controls in place, that's where you have a problem."

You also risk IT security being seen as an obstacle to productivity. A study, done by research firm IDC on behalf of RSA, the Security Division of EMC, found that the majority of senior managers believe IT security risk is the largest single obstacle to innovation in their businesses.

No comments: