Majority break information security policies – survey

The breaking of information security policies include insecure use of USB memory sticks, web-based email, password sharing and turning off security settings.

The Ponemon study conducted among 967 end users of corporate information technologies, found that 69% of employees copy confidential or sensitive business information onto USB devices, and a further 61% admitted that they have then transferred that information onto computers outside the company network. In Ponemon’s 2007 study, 51% admitted to copying data onto USB devices.

The majority (53%) said they download personal internet software to their company computers, compared to 45% in 2007, and 52% said they access web-based email accounts from company computers against 45% in 2007.

Just over a fifth (21%) turn off security settings or firewalls on workplace computers, and almost half (47%) share passwords with co workers. John Jefferies, vice president of marketing at IronKey, told Infosecurity that mostly, these actions are not taken with malicious intent, but that it is “people just trying to get their jobs done.”

The loss of portable data bearing devices went from 39% in 2007 to 43% in 2009. IronKey said the study shows that the non-compliant rate is getting worse with increased frequency of lost or missing portable devices – which are more often than, not, left unreported.

Lost or stolen mobile data devices Lost/stolen Reported
Laptop 9% 91%
USB memory stick 36% 28%
CDs/DVDs 33% 32%
Blackberry, iPhone, iPod, or Treo 22% 62%

Jefferies, said: “They were most likely to report a lost laptop and least likely to report a lost flash drive. And part of that is just a straight function of cost where a laptop is certainly more expensive."

Lack of infosecurity training

Employees appear to hold employers responsible for information security policy breaches, with 58% of respondents saying their companies do not provide adequate training on information security compliance and about the same number said the information security policies are ineffective. Around half of respondents said their corporate information security policies are largely ignored by employees and management, and that the policies are too complex to understand.

Jefferies pointed out that companies often communicate information security policies when they are being implemented, but that they often do not give regular updates after that. Also, “it is typically not set at a level that makes them [employees] feel that they have a considerable impact on the security of the company and the security of their jobs.”

The study also found that the attitudes of employees towards their company greatly affected information security compliance. Jefferies said: “You get the correlation between what people felt about their employer and the rate of compliance. Not too surprising, the more people feel positively about their employer, the more likely they are to follow the security policies and not try to circumnavigate them.”

The Ponemon study identified five areas for improvement:

  • Create a security conscious culture among employees (internal, temporary and external);
  • Strengthen existing policies and update on emerging technologies such as mobile devices and social media;
  • Enforce non-compliance with stated policies and establish clear accountability for security and data protection practices;
  • Establish training activities for all employees as part of a company-wide data security awareness programme;
  • Monitor basic security practices and procedures conducted by employees.

IronKey’s solution

Asked how IronKey could help organisations with some of the problems highlighted by the Ponemon study, Jefferies told Infosecurity: “Our drivers are always encrypted, so if you lost or had your drive stolen, you would be sure that no-one could get to your data.”

In addition to providing encryption, IronKey has what Jefferies called a ‘silver bullet’ – namely the ability to remotely wipe and/or kill the device over the internet, and to restrict where the device can be used.

The IronKey can be used for storing data, but also to enable employees to work remotely using a virtual desktop accessible via the flash drive. The drive can also support anti-virus, it can be opened in read-only mode, and no software or drivers are needed to use it.

What’s hot on Infosecurity Magazine?