Most organizations around the world have some kind of IT security policy in place. But they’re still at risk since the policy isn’t always adhered to, and in some cases, it’s not communicated properly to users.
Those are some of the key findings of new statistical data from a Cisco-sponsored study on the global security perceptions of 2,000 professionals.
While Cisco (NASDAQ: CSCO) makes much of its money from selling technology solutions, the study confirms that more emphasis is needed on the humans that use technology. And in a time where the industry is struggling to cope with ever-growing numbers of breaches and data leaks, businesses may ignore that conclusion at their peril.
“How do you have technology help people make good decisions?” Jon Stewart, Cisco’s chief security officer, said during a Webinar discussing the study. “Phrasing it that way is a lot better than saying how to make technology that will stop people from making stupid decisions.”
The Cisco study found that on a global basis, 77 percent of respondents have security policies in place — though only 41 percent stated they adhered to those policies all the time.
According to its findings, most respondents viewed their company’s security policies as being unfair. The top reason for non-compliance, at 42 percent, was the claim that the corporate security policy doesn’t align with how they need to do their jobs.
The problem, though, is that by not remaining in compliance with their corporate security policies, users leave their organizations open to risk. Sixty-five percent of respondents in the Cisco survey said they believed that viruses were a result of non-compliance with policy, while 45 percent agreed that non-compliance led to unauthorized access to information.
“Why is IT writing policy in isolation?” Stewart said. “Why isn’t it that the business is writing the rules and IT is helping them? If we do it that way, I suspect language will change and it will be look more relevant and IT will stop being the blame monger for the problem.”
Stewart argued that having security become a key part of overall corporate policy and directed by business executives is the right approach. If users can see and know that there are business consequences to their actions, they are more inclined to remain compliant.
Cisco also found that it’s important to convey security policies in more than just an e-mail, which can be easily ignored. Stewart noted that having security policies conveyed verbally should also be part of a company’s security communication strategy.
The report is the second in recent months from Cisco on the issues related to data leakage. The first report revealed that users in the U.S. were relatively more security aware than those in other locations.