Cisco Study Finds Security Policies Being Undermined

By Greg McNevin

October 30, 2008: Once again highlighting how a security policy is only as good as those who follow it, a new data leakage study commissioned by Cisco has found that communication breakdowns between workers and IT professionals is undermining security.

Conducted by InsightExpress, the survey canvassed 2,000 employees and IT professionals in 10 countries and found an alarmingly large (20 to 30 percent) gap between what each group said when asked if their company had a security policy.

While security has evolved much in recent years, almost one quarter (23 percent) of companies said they did not have a standard security policy, and for those that did many employees felt that they had not been educated by the IT department.

The study says that this could in part be attributed to unmemorable means of communicating new or existing regulations, such as non-verbal means of communication like email or instant messaging. 11 percent of those surveyed claimed that IT rarely or never educates them on security policy matters.

This can lead to risky situations when employees are unaware of IT security policies, or fail to take them seriously and simply ignore them to increase productivity.

“Technology does not equal security,” says Cisco senior security adviser Christopher Burgess. “If your constituency doesn't understand why a policy exists, you need to investigate why it exists.”

“If the individual understand the value of that which they are touching, they will protect it appropriately,” adds Burgess.

Comment on this story