News Flash – Employees Blatantly Violate IT Policies
by Clint Adams, Fiberlink
This recent headline is based on a survey conducted by Fiberlink and states that one in ten employees has “blatantly” violated IT policies at some point in order to be productive. Definitely an interesting statistic.
This made me wonder how many employees are inadvertently violating IT policies in the quest to be productive. I would hazard to guess some multiple of one in ten. Obviously, inadvertent violations cannot be measured by surveying the users, but understanding the scope of these violations is just as critical. This is where the security controls we place on the systems help, or at least where they should be helping.
The reality is that inadvertent violations are not only more numerous, but even potentially more damaging. Think about a ”blatant” violation. A user, in an effort to be more productive, defeats a security control to move a file, get to a restricted website or send confidential content via public email. Because there is knowledge and intent, there is also awareness and hopefully some prudence. They are more likely to monitor their own actions in an effort not to do damage.
When a user is inadvertently violating IT policy, they have no awareness and are blindly performing actions that can be destructive to their employer. Where does this conversation lead us? To the age-old question of awareness.
Awareness is a key ingredient in the security and compliance mix and can be effective on two fronts. The first front is awareness of the policies. This usually takes the form of published and communicated IT policy and guidelines that each employee understands and agrees to comply with.
The other dimension is the awareness of being monitored for compliance with the stated policies and awareness of the consequences of violations for themselves and the company.
The ability to make the individual aware on these two fronts must be considered when evaluating various security controls and there is definitely room for improvement in many enterprise organizations in this regard.
In general, employees can be trusted to comply with written policies; they want to comply and understand the need to comply. That said, on a daily basis they also make decisions about how to balance the need for security and productivity (as the Fiberlink survey teaches us). Determining the balance between productivity and security is not the exclusive domain of the security professional. In the mobility space, users still have a significant power in making these decisions because they are mobile and away from strong perimeter controls.
Taking a calculated risk to meet a need is human nature and we do it all the time. We speed when we are late for a meeting or event; construction safety is often compromised when deadlines are looming. Calculated risks are a way of life and expecting employees to apply a different way if thinking to IT policies than they do to the rest of their life is not realistic.
Given this reality, we can learn from other areas on how to gain greater compliance with policies. The biggest single influence in changing user behavior is the knowledge of being monitored. This has been demonstrated in a number of areas form the proliferation of CCTV systems to various traffic control systems (speed cameras and the like). Individual behavior is changed radically when there is knowledge that they are being monitored and knowledge of the range and scope of the monitoring.
Given the importance of awareness, another very important tool in achieving greater IT policy compliance is of real-time coaching or “in the moment” education. Even though an individual may be aware of a specific policy and understand that they are being monitored, they may not understand that an action they are performing is violating the policy. This is where the security applications and controls that are implemented can do a much better job. The same controls that are logging the violations and providing this information to a central console should also have the ability to educate in real time and use the event as a teaching opportunity to raise overall awareness.
Security vendors have traditionally not been great in this regard. They may prevent an action but many times the user is left frustrated and in the dark and looking for ways to defeat the control that blocked them.
As we evaluate and implement security controls we need to be thinking about the end user in all phases of security. Written policies need be understandable and effectively communicated. Security controls that are implemented should be evaluated for their ability to prevent and log violations but also their ability to provide information in real time to the end user on what the violation was and the consequences and importance to the company.
Have you ever violated company policies to be productive? Comment below, and let us know.
