Cisco, a leading security provider, recently conducted a two-part research study that assessed the effectiveness of IT security policies. This study, which analyzed the behavior and perceptions of 2,000 employees and IT professionals in 10 countries, found that employees engage in numerous risky behaviors at work, including the following:
- Altering security settings to bypass corporate security policies and access unauthorized sites
- Accessing unauthorized areas of networks and facilities
- Sharing sensitive corporate data with non-employees
- Sharing corporate devices with non-employees
- Losing portable storage devices
- Allowing others to "tailgate" behind them into corporate facilities
- Leaving devices with passwords to personal financial accounts and corporate systems unattended and unlocked
In addition, Cisco’s research revealed some surprising findings about the effectiveness of corporate security policies. For example:
- One in four organizations don’t have any data protection or security policies in place.
- A large gap exists between employees and IT personnel regarding security policy awareness: Between 20 percent and 30 percent more IT respondents than employees are aware of their company’s security policies.
- A communication disconnect often exists because IT personnel tend to communicates policies in an indirect, non-verbal manner (e.g., email, voicemail, memo). This lack of direct, verbal engagement contributes to the gap in IT personnel/employee security policy awareness.
- The main reason that employees don’t adhere to corporate security policies is a lack of alignment between those policies and the reality of doing their jobs.
- One in five IT professionals has experienced a data leakage incident that involved the loss of customer data.
In the following video, Cisco CSO John Stewart explains why data leakage is such a serious issue and what companies can do about it.