April 1, 2013

Survey Says! End users ignoring security rules?

80% of IT security professionals think
end users purposely ignore security rules
A recent Lieberman Software survey revealed that over 80% of IT security professionals think end users deliberately ignore security rules. Approximately 250 IT security professionals participated in the survey.  Lieberman Software CEO, Philip Lieberman stated “These figures highlight the fact that most end-users are still not taking IT security seriously and are unnecessarily putting corporate data – and potentially customer information – at risk…Organizations need to implement better cyber security training that properly instructs stuff about the consequences of data breaches.”1

Adding end users into the security
conversation could improve
overall security
It is very easy to offer up “better cyber security training” as a means to address the presented statistic. Before pushing out more training or spending money on security software, let us look at the reasoning behind the non-compliance. In order for better training to be effective, it should look at addressing the reasons behind non-compliance. In a 2008 Cisco Systems worldwide study some of the main reasons end users gave for not complying with IT security rules are they think: the risk is not high enough to warrant concern; IT is there to provide security; or security is not a top concern. 2 The IT security professionals should work on clearly communicating the reasoning behind the rules. This should include articulating the threat, how the inconvenient security rules protect against the threat, and how security relies on all employees to do their part. People are more willing to follow a rule if they believe it has value. Including end users in the security conversation, instead of just telling them what to do, would go a long way in furthering real security.
You may read the Lieberman Software study at http://www.liebsoft.com/2013_information_security_survey/


1.        (25 March 2013) “Lieberman Software survey reveals staff ignore IT security directives: Even if they were to come from the CEO.” Retrieved from http://www.darkreading.com/compliance/167901112/security/news/240151661/lieberman-software-survey-reveals-staff-ignore-it-security-directives-even-if-they-were-to-come-from-the-ceo.html?pgno=#

2.        Cisco Systems, Inc (2008) “Data leakage worldwide: The effectiveness of security policies.” Retrieved from http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-503131.html