Following the new research findings from tech consultancy firm CEB, which note that 90+% of employees violate breach prevention policies, IT security experts from Synopsys Software Integrity Group and Balabit commented below.
Mike Ahmadi, CISSP, Global Director – Critical Systems Security at Synopsys Software Integrity Group:
“I do not find it surprising that employees violate data breach policies, because I have indeed been in the same situation. In one case the IT department simply did not have any failure mode in place to compensate for instances where the policies caused a halt in workflow, due to any of a number of reasons. I was still expected to get the job done, and the lower level IT support staff would often suggest the workaround. Most employees do not want to willingly violate these policies, in my experience, but the business world penalizes lost productivity and does not reward employees who use the excuse “I was following the data loss policy guidelines. Unless usability remains stable and workflow is not hindered, employees at all levels will violate these policies.”
Zoltán Györkő, CEO at Balabit:
“With each new data point that demonstrates employees’ willingness to forgo information security in favor of convenience, one fact becomes increasingly clear: organizations have a long way to go in order to balance security and business.” said “Today’s findings demonstrate the need for enterprises to recognize this fact and prepare accordingly for real time monitoring to prevent data leaks by both intruders and insiders.
“Today’s results are especially discouraging. A similar 2015 survey conducted by Balabit showed a full 69% of employees as being willing to bypass security for expediency, and today’s 90% number – although conducted among a different target group – marks significant increase in just a year. So in other words, while hackers are getting more malicious and creative in their approaches, organizations may be becoming more complacent. Both trends are moving in the wrong direction.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.