Survey: Two-Thirds of Employees Must Bypass Data Security Controls to Do Their Jobs
BackBy —<p><strong>Ely, England — March 31</strong><br />Sixty-eight percent of employees admit to bypassing their employers’ information security controls in order to do their jobs, according to new research from IT Governance Limited. This finding suggests that, even in some of the most sophisticated and security-conscious organizations, managers are failing to understand the correct balance between the confidentiality and availability of information. By implementing the wrong policies and procedures, they are potentially putting their organizations at risk and may be undermining the legitimacy of information security in employees’ eyes.<br /> <br />IT Governance Limited is the one-stop-shop for books, tools, training and consultancy on governance, risk and compliance. In February 2008, it polled 130 technology and compliance professionals on issues concerning the UK Data Protection Act (DPA). The respondents included some of the best informed professionals in this area, as evidenced by the high proportion of organizations with independently certified data security measures. The full findings of this survey will be published next month in “Data Breaches: Trends, Costs and Best Practices,” the first of IT Governance’s new series of best practice reports. <br /> <br />The research found that most organizations appeared aware of their responsibilities under the DPA, with more than 80 percent having a data controller or someone responsible for maintaining privacy. Eighty-two percent of organizations had clear policies and procedures for protecting personal data, including documented procedures (68 percent of organizations), formal procedures (57 percent) and informal procedures (24 percent). </p><p>Twenty-one percent had policies and procedures certified to best practice standards, such as ISO27001, indicating respondents represented organizations that are particularly well managed in the field of information security. Nevertheless, the high incidence of employees deliberately circumventing policies and procedures indicates that many of the measures introduced by management are unduly obstructive, either in design or implementation. <br /> <br />Organizations also differ in the comprehensiveness of their data security regimes. While 89 percent cover access to personal data, only 56 percent govern detecting and reporting data losses. Just 39 percent extend to correcting data loss incidents.<br /> <br />The need for DPA compliance is clear, with 96 percent of the organizations represented holding personal information about customers, patients or other individuals. Of these, 56 percent hold payment card or other financial information; 39 percent hold sensitive personal information, such as ethnicity, religion or political affiliation; and 36 percent hold medical information. However, only 55 percent of employees handling personal data have been trained in their legal responsibilities in respect of this information. <br /> <br />Alan Calder, chief executive of IT Governance, said, “Under the Data Protection Act, it is a legal requirement for organizations to safeguard personal information, but this can only be achieved with the support of employees. By imposing ill-considered procedures, many organizations leave people little option but to break the rules if they are to do their jobs. </p><p>This not only leaves businesses vulnerable to data breaches and fines, but also does lasting damage to the way employees regard info security. If more organizations followed best practice standards such as ISO27001, they would be doing a service to their customers, employees and themselves by making data security workable and readily adopted.”<br /> <br />“Data Breaches: Trends, Costs and Best Practices” will be published April 15 and can be preordered.<br /></p>
Viewed 5945 times.