Published by Computer Weekly at http://www.computerweekly.com/Articles/2008/03/31/230054/heavy-handed-security-bypassed-by-employees-says-research.htm
31 March 2008
Most employees by-pass security controls at some stage because they're not convinced they are necessary, according to a new study. It also identified that 80 per cent of people are aware of the need for maintaining data control.
Research firm IT Governance, which conducted the study, found that two-thirds of employees (68%) admitted bypassing their employers' information security controls in order to do their jobs. IT Governance put the blame firmly on security managers. "By implementing the wrong policies and procedures, they are potentially putting their organisations at risk and may be undermining the legitimacy of information security in employees' eyes," it said in its report.
The survey was conducted in February 2008 by polling 130 technology and compliance professionals on issues concerning the UK Data Protection Act (DPA).
Knowledge of security responsibilities is high in most organisations, it concluded. Over 80 per cent of the survey group had a data controller or someone responsible for maintaining privacy and 82 per cent had clear policies and procedures for protecting personal data.
One in five (21%) even had certified best practice standards, such as ISO27001, indicating particularly well managed information security. But there was a corresponding high incidence of employees deliberately circumventing policies and procedures.
Companies can only safeguard information with the support of employees, explained Alan Calder, CEO of IT Governance. His study suggested that support has not been earned yet in many organisations. "By imposing ill-considered procedures, many organisations leave people little option but to break the rules if they are to do their jobs," said Calder.