Security policies often ignored, non-existent, survey finds

A recent study discovered that an organization's security policies -- if they even exist -- are often poorly thought out and badly communicated to employees and users.

Security policies are out of touch with business needs, and are often seen by users as something to bypass in order to get their job done. That is one of the findings from a new global study by communications giant Cisco Systems Inc., which talked to more than 2,000 users and IT decision makers in 10 countries, including the UK.

The study discovered that many organisations do not even have security policies, and where they do, the message is poorly thought out and badly communicated to users.

This lack of attention tends to create a 'them and us' environment where users feel obliged to ignore policies which, in their opinion, bear little relevance to the realities of day-to-day business. In the survey, IT departments were also criticized because of the often impersonal way they communicate policies to the rest of the organisation.

For many companies, however, this is not a problem – simply because no policy appears to exist. In the UK sample, only half of end users were aware of a security policy, while 71 per cent of IT decision makers knew they had one.

In the UK, only 33 percent of users thought their company's security policy 'fair,' and 37 percent said they follow policy constantly. Almost half of those surveyed, however, responded that they comply 'most of the time.' The remaining 11 percent said they rarely or never adhere to policy.

Policy breaches were viewed very differently by the IT decision makers and the end users.

Asked why they thought the end users failed to follow policy, the IT decision makers' answers ranged from 'They don't care' (34 percent) and 'They don't know or understand' (31 percent), to 'They are in a hurry' (24 percent) and 'Not enough risk to be concerned' (44 percent).

From the point of view of the end users themselves, the picture looked very different. In the UK, 55 percent of end users agreed that the policy did not align with reality and prevented them from doing their job, and 27 percent said they needed access to certain programs that were not included in the policy.

Christopher Burgess, senior security advisor at Cisco, said the results offer "a tremendous opportunity here for a course correction" in companies wanting to develop more effective policies.

He said policies should be developed in conjunction with business units, instead of handed down by the IT department, and they should be communicated more effectively, rather than in just a dry email to staff, for example (which is how it is done in 74 percent of UK organisations).

"It should be like any other marketing effort," said Burgess. "People learn and assimilate information in different ways. So we have to touch all their senses, and be clear to the end users that what they are touching is of value. Many don't understand the value of the information they are handling."

But the situation looks set to worsen, as more users move over to using PDAs and smartphones for their daily business when out of the office. A recent survey by Vodafone Group Plc found that nearly a quarter of all UK businesses had experienced security problems as a result of employees using laptops or mobile email devices outside of working hours and in contravention of company security policies.

One in three mobile workers said they had never read their employer's IT policy or had no idea if one existed.

Read more on Security policy and user awareness