Published in IT Pro at http://www.itpro.co.uk/182871/staff-forced-to-bypass-security-controls
31 March 2008
Some 68 per cent of employees admit to bypassing their employers' information security controls in order to do their jobs, according to new research out today.
Revealing a failure to understand the correct balance between the confidentiality and availability of information, the research suggested managers are implementing the wrong policies and procedures. This could potentially put their organisation at risk of data breaches while also undermining the legitimacy of information security in employees' eyes.
The research was conducted last month among 130 technology and compliance professionals on issues concerning the UK Data Protection Act (DPA) by governance, risk and compliance trainer and publisher, IT Governance Limited.
Alan Calder, IT Governance's chief executive, said: "Under the Data Protection Act, it is a legal requirement for organisations to safeguard personal information, but this can only be achieved with the support of employees. By imposing ill-considered procedures, many organisations leave people little option but to break the rules if they are to do their jobs."
Although the research did not cover how staff might breach controls, Calder told IT PRO of anecdotal experiences demonstrated every day in the course of his organisation's training and consultancy work.
"A third party provider may need access to information about staff they work with, but this is stored on secured central databases or on paper files," he said. "So, to have this information available while on visits, for instance, they photocopy or print it, or create an unencrypted PDF file that they then carry in their briefcase."
Another example he gave has the payroll clerk wanting to catch up on processing some divisional bonuses. "Unaware of their DPA responsibilities, but aware of the fact the IT department doesn't consider home PC systems secure enough to access central systems, they download the files to an unencrypted USB, which they could just as easily lose in the pub," Calder said.
The research found that most organisations appeared aware of their responsibilities under the DPA, with over 80 per cent having a data controller or someone responsible for maintaining privacy.
And 82 per cent had clear policies and procedures for protecting personal data, including documented procedures (68 per cent of organisations), formal procedures (57 per cent) and informal procedures (24 per cent).
Over a fifth had policies and procedures certified to best practice standards, such as ISO27001. Nevertheless, the high incidence of employees deliberately circumventing policies and procedures indicates that many of the measures introduced by management are unduly obstructive, either in design or implementation.
While 89 per cent cover access to personal data, only 56 per cent govern detecting and reporting data losses, while just 39 per cent extend this to correcting data loss incidents. And only 55 per cent of employees handling personal data have been trained in their legal responsibilities in respect of this information.
Calder added: "There are two fundamental issues at play here: managers that aren't aware of their DPA responsibilities don't supply the appropriate levels of guidance to the IT department in developing information security complaint procedures. And then IT protects its own department by oversecuring access."
He said more companies should follow best practice standards like ISO27001 and recommended more powers and resources for the Office of the Information Commissioner to force more companies to improve DPA training and compliance.
The full findings of this survey will be published next month in Data Breaches: Trends, Costs and Best Practices, the first of a new series of IT Governance Best Practice Reports.