Employees remain obstacle to security


Your staff hates security processes. Of course, this isn’t something we didn’t already know. Antivirus software slows down their machines, and remembering zillions of passwords is a hassle. VPN software is often kludgy and most every other security process we ask employees to do gets in the way of their being able to do their jobs more easily. At least that’s the way they see it.

This shouldn’t be a surprise to anyone, but a recent survey from security firm Biscom showed that employees really, really, really do not like having to follow security policies.

The survey questioned more than 600 employees — from associates to senior executives — at U.S. companies with both data security policies and security tools in place. The companies included industries that are often heavily regulated, such as healthcare and financial services.

The survey respondents stated that their organizations provide secure ways to send and share information, but the results show that the respondents don’t seem interested in them. Consider this: 95 percent of respondents said that their organization provides tools to secure information, 85 percent said that there are policies in place for sharing information and 88 percent said their company even trains employees how to share information securely.

A full 78 percent of respondents said that they do understand and agree with their organization’s security policies. That’s a good start, but things got ugly from there. A majority of survey respondents (74 percent) said that they do share information insecurely with their internal colleagues as well as with people outside the organization (60 percent).

Why would they overshare like this? Complexity. When they decide to skip security policies or tools it’s because of the hassle. Respondents cited complexity as the biggest reason why they shunned using security tools and working within compliance policies.

There’s an old adage in security that convenience trumps security. These results show that there’s a lot of truth to that. The takeaway for security professionals is that security and compliance policies have to be built integrally into staff workflow or it’s highly likely it will be ignored and go undone.

It is largely unstructured data that employees are handling so insecurely — Word documents, presentations, Excel spreadsheets, financial data and media files that can all contain highly sensitive and regulated information. In fact, 49 percent of respondents admitted to insecurely sharing highly regulated data such as medical or financial information. Other types of information shared improperly include strategy documents or presentations (35 percent) and intellectual property like source code or patent filings (29 percent).

What would cause respondents to change their careless ways?

Monitoring. The survey revealed that 80 percent of respondents would change their behavior if IT monitored their activity in real time and if IT was notified of suspicious activity.

That’s certainly one way to do it. Monitor, or try to monitor, every click of every staff member and end-user. Or, organizations can build secure workflows and ways for everyone to collaborate within policy.

I know where I’d rather work.


  1. Convenience will always trump security, at least for the average person. People just want to get their job done in the most effective way possible. In a typically under resourced department, any procedure, security or otherwise, that appears to deliver more cost than benefit to the user, will be worked around. However, if security is thought of as a part of the process, not something to be bolted on, and designed in from the start, then it will become unobtrusive and not be seen as an inconvenience. Additionally, security teams need to get the users involved when choosing tools and designing procedures – what is a minor inconvenience to the security team once, when they design the procedure, can easily become a major time and/or resource sink for the user who has to follow the procedure 100 times a day.

Leave a Reply to Wayne Butterworth Cancel reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.