Users bypass security to get their jobs done

Fear of data protection regulations creates barriers to work according to a survey by IT Governance

A poor understanding of the Data Protection Act is creating unnecessary restrictions on the use of personal data in organisations, and is forcing employees to by-pass security in order to get their jobs done.

According to new research from IT Governance, a consultancy, two-thirds of employees find a way around security controls, not with any malicious intent, but merely to do their jobs properly.

More on the Data Protection Act

Data Protection Act guidelines

Guarded welcome to proposed data leakage laws

Lord Erroll favours criminalising poor security
"The problem is that companies tend to pass data protection to the IT department to look after," said Alan Calder, chief executive at security consultancy, IT Governance. "The IT department knows it's their head on the block if anything goes wrong, so they focus on protecting confidentiality of information based on their interpretation of what they think the law is." By locking the information down too tightly, the IT department forces users to find ways around the system.

Calder said he had seen many examples of this happening. For instance, hospice nurses had been forced to print off patient records because their network was unreliable and because restrictions on access meant they could not get to information as quickly as they needed.

In another case, payroll staff were not officially allowed to work from home on their personal machines because the link was not considered secure enough. So they copied files on to USB sticks and took the information home to work on.

"In some circumstances, the USB stick was lost, and was usually unencrypted," Calder said. "Sometimes the home workstation had a nice collection of Trojans and other malware that the user brought back in and infected the corporate system."

He said company boards needed to take a closer interest in data protection and information security, rather than leaving it to the IT department. "Management has to decide on the balance between providing information to people who need it, and the type of restrictions that are necessary to protect it. It means there has to be an intelligent conversation with the people who work with the data."

Those conversations might end up recommending technical solutions, such as whole-disk encryption for laptops or secure access for remote users, but Calder said the answer was to "just think through what the staff members really need to do their jobs, and give it to them."

The survey of 130 technology and compliance professionals took place in February, and the full findings will be published in May by IT Governance. (

Read more on Privacy and data protection