Cisco Study Examines Employee Data Security

Cisco has released a second set of findings from a global study on data leakage, finding the prevalence and effectiveness of corporate security policies within companies and the reasons employees break or comply with them.

 

The study is designed to let information technology teams in various parts of the world “understand employee risk factors so they can effectively tailor policies that fit the reality of what their users need to do their jobs."

 

The latest security findings follow Cisco’s (News - Alert) previous research announced last month on common employee data leakage risks and mistakes around the world. The findings on corporate security policies stem from surveys of more than 2,000 employees and IT professionals in the United States, the United Kingdom, France, Germany, Italy, Japan, China, India, Australia and Brazil conducted by InsightExpress, a U.S.-based market research firm.

 

“As lines blur between work and home, and as employees use collaborative applications and mobile devices, the role that security policies play in protecting sensitive data becomes increasingly critical,” Cisco officials say.

 

Earlier this month, TMC reported that ABI Research (News - Alert) announced the release of its latest "Green Network Equipment" Vendor Matrix in which Cisco Systems was ranked at the top. Cisco stood first in the overall rankings with its Implementation score and strong internal green efforts.

 

The study found the majority of employees believe their companies’ policies are unfair. This is the case in eight of 10 countries, excepting Germany and the United States.

 

John N. Stewart, chief security officer for Cisco, said when employees believe that security policy is unfair, in the way of them doing their jobs and don’t grasp the “why,” then policies “quickly lose their efficacy. Too often we write policies as rules, not as reasons… by engaging with employees and understanding what they need to do their jobs, we can develop realistic policies.”

 

The research found that 77 percent of businesses “have security policies in place.” The absence of security policies is most prevalent in Japan (39 percent) and the United Kingdom (29 percent).

 

But even when companies have security policies, the research reveals that employees often defy or ignore them: “More than half of the employees surveyed admitted that they do not always adhere to corporate security policies. Of all the countries, France (84 percent) has the most employees who admitted defying policies, whether rarely or routinely,” the study found. In India, 11 percent admitted “never” or “hardly ever” abiding by corporate security policies.

 

Depending on the country, the number of IT professionals who knew a policy existed was 20 to 30 percent higher than the number of employees, the study found, with the largest gaps (31 percent) in the United States, Brazil and Italy. Eleven percent of employees said IT “never communicates or educates” them on security policies, with the United Kingdom (25 percent) and France (20 percent) having the greatest number of employees making this claim.

 

According to IT, employees defy policies for a variety of reasons, from failing to grasp the magnitude of security risks to apathy. However, employees said the top reason for non-compliance is their belief that policies do not align with the reality of what they need to do their jobs.