Research Confirms: Don’t Trust Your Users to Comply With Security Policies

It’s not like this is a surprise to experienced sysadmins: If you care about your company’s security, particularly with regard to mobile devices, don’t expect your users to follow the rules. But now we’ve research to back that up.

According to a recent survey of U.S. IT professionals, conducted by Ponemon Institute and Lumension, the primary reason that IT departments have difficulty managing security risks on smartphones, tablets, and laptops is employees not complying with security policies. That’s the case even though 78% of survey respondents feel that employees who don’t follow security policies are a threat to mobile security.

Although IT security risks are growing most rapidly on mobile devices such as smartphones, few organizations have governance and control processes to stop attacks on these devices. And when such policies exist, reports the study, “2015 State of Endpoint Report: User-Centric Risk,” 70% of IT professionals have endpoint security policies that are difficult to enforce. Other enterprise endpoint security threats high on Ponemon’s list include the use of commercial cloud applications, BYOD, and employees who work remotely.

So, why are employees the biggest source of risk? For most people, endpoint security isn’t top of mind; they — we! — want to get work done. Most of us, when faced with a security policy, just sign it or click “Agree.” Unless you’re an IT or security professional, chances are you don’t take the time to read all that fine print. But maybe you should, because getting fired for failing to comply with security policies is a real possibility.

“People say the solution to security and data privacy concerns is putting policies and procedures in place, but that means putting the responsibility in the hands of individuals and expecting them to strictly follow those guidelines,” says Dave Packer, Druva’s director of product marketing. “Unfortunately, you can’t trust people to always follow regulations. Technology needs to help companies enforce its regulations by filling in those holes wherever it can.”

It would make a big difference if IT had better control over those governance and control processes. According to the survey results, 72% believe that attacks on an organization’s devices can be stopped by implementing a combination of technologies, processes, and in-house expertise.

Want to know more about keeping corporate data safe on mobile devices? Read our white paper: The Essential Security Checklist for Enterprise Endpoint Backup.