According to a white paper published this week by Cisco, the top 7 reasons that employees violate IT security policies are:
1. They do not think there is enough risk to be concerned
2. They think IT is there to protect them if something goes wrong
3. Security is just not top-of-mind for them
4. They do not care
5. They do not know about or understand the policy
6. They do not know that security is a concern for IT
7. They are in a hurry
You can read the full story here: Data Leakage Worldwide: Common Risks and Mistakes Employees Make
We’d be interested to know:
Is this what you see in your organization?
What steps can companies take to better protect data?
We’ll offer our view about these questions in a future post.
on Nov 19th, 2008 at 10:45 am
Dear Sir or Madam: I was very interested to see the excellent and timely article, “Top 7 Reasons Employees Violate IT Security Policies”. I have managed and emplaced solutions for years, in both the business and academic realms, and the issues are gaining understanding and traction. My view of business vulnerabilities in the face of escalating dependencies and risks culminated in a book, I.T. WARS: Managing the Business-Technology Weave in the New Millennium.
I would be happy to send along complimentary copies of the book to any editors and stakeholders there who may have an interest. While self-published, the book has managed to become an MBA text at University of Wisconsin, and has garnered some critical support, most notably from Thomas Faulhaber, Editor and Found of Boston’s Business Forum. Other sanctions comprise the book’s inclusion to these libraries worldwide: http://www.worldcat.org/oclc/70886916?tab=holdings
A good exposition for the book’s contents can be had at this interview: http://businessforum.com/DScott_02.html - I’ve also been quoted in InfoWeek, Capitol Weekly (CA), and have appeared on DC Metro television’s Communicating Today with John Monsul.
Most data thefts and breaches are due to a lagging business culture. In the realm of risk, unmanaged possibilities become probabilities: While various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. The real crux of the matter is education and training to the organization as a whole – and a recurring schedule of training – in building a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action. If you would like copies of my book, please indicate where to send them – and again, my compliments on the article. –Regards, David Scott, author — http://www.david-scott.net
on Nov 19th, 2008 at 4:24 pm
Thank you for the thoughtful coment. I’d love to read your book. You can use the address on our main site, to Will Baccich.