Most technology professionals often knowingly ignore security policies according to a survey of more than 890 IT professionals by the Ponemon Institute. Many are even unaware of any such policies.
"The key takeaway is that information security policies are not being read, or - if they are being read -- are not being understood, or if understood, people may not be following it," said Larry Ponemon, chairman of the privacy think tank.
More than half of the respondents in the Ponemon survey released this week said they had personally copied confidential company information into USB memory sticks, even though more than 87 percent admitted that company policy forbade them from doing so. In addition, 57 pecent believed others in their organisation routinely used memory sticks to store and transport sensitive or confidential company data. Among the reasons cited for non-compliance were lack of policy enforcement and convenience.
Similarly, about 46 percent said they routinely shared passwords with colleagues, even though a two-thirds majority of the respondents said their company's security policies prohibit them from doing so.
In some cases, the violations appear to happen because employees are unsure about company policy. For instance, 33 percent of survey respondents said they sent workplace documents home as email attachments. Nearly half the sample didn't know whether that practice constitutes a breach of policy. In the same vein, eight out of 10 of the IT professionals in the survey said they were unsure whether turning off network firewalls is a policy breach - which may explain why 17 pecent admitted to having done so.
Sometimes, however, insider security breaches result from a lack of clear corporate guidelines.
For instance, despite widespread concerns about data leaks resulting from insider abuse or negligence, 60 percent of respondents said their companies had no stated policy forbidding the installation of personal software on company computers. Nearly half admitted to downloading such software including peer-to-peer (P2P) file sharing tools on company hardware. More than seven in 10 said they did not immediately report lost or missing devices containing company data.
"The reason why these thing are happening [is] because compliance is not enforced," Ponemon said. While more IT managers may realise the need for company-wide security policies, "people are just not paying attention to enforcement. There is no auditing" for compliance.
The Ponemon report is another reminder of the information security weaknesses that analysts have said often exist inside corporations. Though companies have for years focused their efforts on securing networks against external attacks, fewer have focused on accidental and malicious data leaks from inside. That's one reason why, despite the hype surrounding external hackers, many security managers are more worried about internal compromises.