Survey: What Employees (Don’t) Know About IT Security PoliciesJuly 10, 2014 by Daniel Humphries
Spend any time talking with IT security experts and you’re likely to hear a common refrain: employees are the weakest link in any organization’s defenses.
A recent survey of 160 security professionals by Osterman Research, for example, found that 58 percent were “most worried” about malware downloaded by employees. Worse, a 2012 survey by Trend Micro found that 91 percent of advanced persistent threats (APTs)—long-term, covert attacks on systems—begin with a “spear phishing” attack, in which cyber criminals directly target specific employees.
It’s clear that companies need solid policies in place that outline best practices for how employees use their computers and other devices. But do firms actually implement such policies, and do employees actually know what information they cover?
To shed some light on the matter, we surveyed 385 adults in the U.S. whose jobs require them to access the Internet on a regular basis. For the purposes of our survey, we defined an IT security policy as: “A document outlining best practices for computer usage and Internet safety at work.” Here’s what we found:
- Slightly less than half of respondents were confident they remembered the contents of their company’s security policy.
- Less than half of respondents recalled seeing security fundamentals, such as password rules and best practices for email safety, outlined in this policy.
- Only 26 percent of respondents received training more than once to reinforce policy awareness.
Under Half Confident They Remember Security Policy Contents
First, the good news: a mere 4.9 percent of respondents said their company had no security policy, while an additional 5.9 percent were unsure. This leaves us with 89.2 percent of respondents working at firms with security policies, so that’s grounds for optimism.
…Or is it? A security policy is not security training, nor is it security awareness—it’s simply a document outlining best practices. Like all such documents, it can be read once and quickly forgotten.
We wanted to know: did employees feel confident they could actually remember what was in their security policies? Here, the results were less rosy:
Are you confident that you remember the contents of your company’s IT security policy?
*Percentages ￼in chart are rounded to the nearest whole number.
Just under half of our respondents said they were “very confident” that they could remember the contents of their firm’s security policy. Meanwhile, 22 percent thought they could remember parts of it, while 17.7 percent were “not at all confident”—meaning that nearly 40 percent (39.7 percent) have a highly unreliable knowledge of their firm’s security policies.
If you factor out the 4.9 percent of respondents from firms without a security policy, the number of “very confident” responses rises to 52 percent; but then again, the percentage of less confident respondents also rises.
Either way, the results are hardly encouraging. A security policy is only the first step towards raising employee awareness of security issues, and these results expose a great deal of ambiguity, forgetfulness and (most likely) indifference.
It’s also important to stress that half of our respondents only claim they can remember the information in their company’s security policy: there’s no way to be certain if this claim is in fact true. This brings us to our next survey question.
Most Respondents Don’t Recall Basic Security Policy Steps
Half of our respondents said they felt “very confident” they could remember the information from their firms’ IT security policies, but we wanted to drill specifically into what it was they thought they could remember.
Of course, the contents of a security policy can vary greatly from firm to firm, so in asking this question we stuck with best practices that apply to almost any type of business, such as password rules or appropriate ways to use email. The results were eye-opening.
Which of the following are addressed in your company’s IT security policy? (If you have no security policy, select ‘None of the above.’)
Only 43.5 percent of respondents could remember seeing password security rules in their company’s security policy, while only 39.4 percent recalled content related to secure and unsecure uses of email.
Both statistics are lower than the 49.5 percent who were confident that they remembered everything. This suggests that people either work at firms with security policies that are so limited in scope as to be completely useless, or that people don’t remember as much as they think they do.
The statistic for email is particularly alarming. Only 39.4 percent recall policies for email security practices, which means 60.6 percent of respondents have no recollection of ever seeing rules related to the use of email—the most common business application in the world and the route through which many infections enter systems.
It’s no surprise then, that 91 percent of APTs begin through a spear phishing attack, or that security experts are tearing their hair out over all the malware employees download.
Moving down the list, the results are no more encouraging: 62 percent of respondents couldn’t recall seeing a policy related to keeping confidential data secure, while 70 percent hadn’t seen a policy related to handling suspected hacks. Is anyone surprised that we live in an era of breaches?
It’s also interesting to note that, although we were surveying the same group of individuals as we did for question one, 17.9 percent of respondents selected “None of the above.” This was the same option as “NA/no policy at work” listed in the first question, which just 4.9 percent of respondents chose.
So what accounts for this discrepancy? Since it’s hard to imagine an IT security policy document that doesn’t address at least the top two subjects on our list above, it seems likely that our more detailed explanation of what you might find in such a document pushed some respondents who were unsure/not confident about their recall abilities in question one into suspecting they belonged in the camp of those without policies.
Either that, or these respondents’ work security policies are incredibly vague (and thus useless) documents.
Little Being Done to Reinforce Awareness of Security Policies
As we mentioned at the beginning, an IT security policy is not security training, and the mere existence of such a document at a firm does not necessarily indicate a high level of security awareness in an employee.
Drawing up a list of rules and expecting staff to remember them is about as realistic as handing out a list of 300 Russian words to non-speakers, throwing in a few comments about grammar rules and expecting fluent sentences to emerge: we can safely file it under “never gonna happen.”
A security policy is just the first step, which means it needs to be reinforced if employees are to recall its contents. To this end, we asked our final question:
Have you received any training to reinforce the contents of your company’s IT security policy?
*Percentages ￼in chart are rounded to the nearest whole number.
The largest portion of respondents (27.6 percent) said they had received none whatsoever, while 22.3 percent said they’d received training on their company’s IT security policy just once. While it’s possible that some of these answers may have come from employees new to a company, it is exceedingly unlikely that all of them did. This means that a grand total of 49.9 percent of respondents have received little to no reinforcement of the contents of their firm’s IT security policies.
Add in the 14.5 percent of respondents who said they couldn’t remember if they received training, and it gets even worse: 64.4 percent of employees in our sample have received ineffective reinforcement of security policies.
Consider also that the number of respondents who selected the “NA/no policy” option was 10 percent this time around—compared to 4.9 percent for the first question and 17.9 percent for the second question. Clearly, there’s a lot of confusion.
If we compare this last set of results with a survey on the Heartbleed bug that we conducted earlier in the year, a troubling picture emerges. In that study, we found that 77 percent of firms had given no advice to employees about how to respond to what was billed by many at the time as one of the worst security incidents in the history of the Internet.
Taking these studies together, it’s not hard to conclude that, for many firms, IT security remains an afterthought—sloppily put together and patchily enforced.
While it’s a good sign that a majority of firms appear to have security policies in place, it’s much less encouraging to see that most of these firms are failing to adequately reinforce the contents of these policies.
After all, according to a new study by the Ponemon Institute, the average cost of a data breach is currently $3.5 million—a 15 percent increase over the year before—which means many companies clearly need to do a lot more to ensure their employees know the basic rules of secure computer usage at work.
Worse, a sloppy approach to security can add additional risk. Baruch Fischhoff, a professor of cognitive psychology at Carnegie Mellon University and a leading expert in risk perception, argues that security should be a team effort. If employees feel it’s not taken seriously by executives, he says, it becomes “highly demoralizing.”
In other words, if you don’t signal to employees that you take your own security policy seriously, you’re not just losing an opportunity to instruct workers in best practices, you’re making a statement about company priorities: namely, that security isn’t one of them. Is it any surprise, then, that the breaches keep coming?