Employees violate security policies on a regular basis, hence why the majority of data breaches are caused by insiders, in some way or another. Sure, sometimes security incidents are caused by disgruntled or opportunistic employees; however, most of the time the motives are less suspicious.
So, what are the main reasons employees violate security policies?
1. A Lack of Security Awareness Training
According to a report by Clutch.co, more than 28% of employees don’t know whether their company has a cybersecurity policy, and only 56% of employees feel their company is prepared for IT security threats.
Educating employees about cyber-security is perhaps the most effective way for companies to protect their sensitive data. Social engineering techniques can be very hard to spot. Even seasoned IT security professionals have been known to click on a suspicious link or download a malicious attachment. However, most of the time, successful phishing attacks are the result of careless or naive employees.
Additionally, employees often fail to protect their devices. For example, they often download untrustworthy applications, access sensitive data on an unencrypted public Wi-Fi connection, store unencrypted sensitive data on the cloud, or simply loose a device which has access to sensitive data.
2. A Need to Get the Job Done
Before we place too much blame on employees for violating security policies, it is important to note that a lot of time they break the rules due to either inconvenience or frustration.
Perhaps an employee needs to regularly share information with another employee, but the protocols for doing so are perplexing and arduous. In which case, they will naturally seek a shortcut, such as sharing login credentials with each other.
According to a recent survey by Dell, “72% of employees are willing to share sensitive, confidential or regulated company information”. Pressure is another reason why employees violate security policies. For example, if an employee is under pressure to meet a deadline, they might be encouraged to over-look certain procedures.
Additionally, employees may violate security policies when they are under pressure to be helpful. Business email compromise (BEC) scams are a type of social engineering attack where companies and individuals are tricked into sending wire transfer payments to an attacker – masquerading as a trusted entity, such as a business partner.
BEC scams are becoming increasingly popular. According to the Internet Crime Complaint Center (IC3), there was a 136% increase in identified global exposed losses, between December 2016 and May 2018. The attacker will often fabricate a story about how they need the payment ASAP and will seek to take advantage of people’s willingness to help.
3. Accessing Sensitive Data Due to Curiosity
According to research by Oneidentity.com, 23% of security professionals reported that employees frequently attempted to access data that is not necessary for them to do their job. While there could be a variety of reasons for this, it could be simply down to curiosity. Perhaps they wanted to snoop on someone they know, or perhaps they were hunting for information relating to a certain celebrity.
A lack of security awareness training combined with unrestricted and unmonitored access rights are usually the main cause of security incidents. Companies must first develop a formal security policy, and make sure that all employees have been trained accordingly.
To prevent employees gaining access to data that is not required for them to adequately perform their duties, companies will need to enforce “least privilege” access rights through role-based access controls (RBAC), and implement a sophisticated DCAP (Data-Centric Audit & Protection) solution to keep track of any changes made to these rights in real-time.