Security Watch | Matt Hines » Companies still failing to enforce security rules

December 04, 2007 | Comments: (0)

Companies still failing to enforce security rules

TAGS: Security

Guess what?

Creating the most comprehensive and restrictive security policies in the world won't do your company any good if you don't enlist means of enforcing them.

Should this be news?

One might think not, but apparently -- based on a new study published by Ponemon Institute and sponsored by DLP vendor RedCannon -- many companies are failing to implement their existing security rules, or express them in a manner that actually drives users to obey them.

Based on a survey of just under 900 corporate IT workers, the researchers found that many people believe that they can continue to skirt their employers' security laws, in those cases where they have even been made aware of them.

Among the results:

- Some 51 percent of respondents admitted that they have copied confidential information onto USB drives, even though 87 percent of those people conceded that their companies' policies forbid the practice.

- Another 39 percent said that they have lost or misplaced a portable device bearing company information, and 72 percent of those individuals said they didn't report the incident immediately.

- A majority 56 percent said that their employers would never be able to determine the type of data contained on any lost devices, and only 10 percent of those surveyed said their organizations have a policy to deal with the loss of a portable storage device that holds sensitive information.

- A total of 46 percent of respondents admitted that they share their computer or network passwords with others, even though 67 percent of those people admitted that their companies ban the practice.

Ouch.

Some of the other findings indicate a substantial level of uncertainty regarding their companies' policies governing certain risky behaviors.

This would seem to indicate that in addition to failing to properly enforce their security rules, a number of firms are failing to communicate the policies to their employees (or maybe even failing to create the laws in the first place).

For instance:

- Some 45 percent of those surveyed said that they access personal Web mail accounts on work systems, with 74 percent of those people submitting that their employers have no stated policy that forbids it.

- Another 45 percent of respondents said that they download personal software onto their company-issued devices, with 60 percent stating that their employer has no official policy governing the practice.

- A total of 33 percent of respondents said that they send workplace documents to their home computers as attachments, with 48 percent claiming that they are unsure whether this violates any existing policy.

And get this:

- Some 17 percent of respondents said that they have previously shut off some form of security settings or firewall on their workplace computers, with 80 unsure whether or not this violates policy.

Conventional wisdom would dictate that even the most lax companies probably wouldn't let this type of behavior continue if they knew it was going on.

Companies like RedCannon obviously feel that organizations concerned with these problems should enlist DLP tools or similar technologies to prohibit workers' habits from violating their security laws.

Yet, it would also seem that if companies merely reframed their policies and made sure that workers had been exposed to them, they might be able to change some of the problematic habits.

"Privacy and data protection policies are meaningless if they do not address the full spectrum of threats and if they are not enforced, and our research points to an urgent need to address this pervasive vulnerability in corporate data security programs," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. "The development of comprehensive policies, along with training and stringent enforcement of those policies should be a priority in any enterprise-wide data security program."

Even with all the rising concerns (and headlines) regarding major data breach incidents, many companies still appear to have their heads in the sand when it comes to addressing the problem, said RedCannon executives.

The company would surely love to sell its DLP tools as the perfect manner to address such issues, but experts with the company recognized the impact that simply drafting better policies, and enforcing the rules, could deliver.

"Data breaches remain the leading cause of financial losses in business, with over 75 percent of Fortune 1000 companies falling victim to data leakage, and this is not going to change without improvements in the enforcement of data security policies," said Vimal Vaidya, founder and chief executive officer at RedCannon. "This study clearly indicates key data management practices that have a serious impact on data security and regulatory compliance, and highlights ways organizations can bolster policy enforcement and reduce the risks of potential data loss."

Posted by Matt Hines on December 4, 2007 03:17 PM

RATE THIS ARTICLE: