Stronger Voice Needed with Security Policies

Wednesday, January 22, 2014 @ 05:01 PM gHale

Whether it is in the office or out on the plant floor, everyone needs to understand how they can contribute to ensuring a secure work environment, but there remains a communications disconnect between IT management and non-IT employees on security and compliance policies, a new report said.

This disconnect encompasses such critical areas as effective communication of policies, as well as the use of free consumer-type file transfer tools and corporate email on mobile devices, according to the report from DataMotion.

Report: Security Needs Proactive Approach
Report: Execs Still Lack Security Understanding
Senior Mgt Biggest Security Violators
SMBs Not Really Security Aware – Yet

Additionally, the survey showed there are those in IT management knowingly taking compliance risks and even turning off essential capabilities due to technology issues. At a time when very significant penalties can end up brought against organizations of all sizes for non-compliance and data breaches, C-level executives need to be aware of the issue.

The survey polled more than 400 IT and business decision-makers across the U.S. and Canada. It focused on those in industries that routinely deal with sensitive data and compliance regulations, such as financial services, healthcare and government.

Key highlights include:
IT Manager Disconnect
• An overall telling sign of disconnect is the confidence level respondents had in their company’s ability to pass a compliance audit: Non-IT employees are much more confident (65.2 percent are “very” confident) than those in IT management (46.6 percent).
• IT and non-IT respondents said their companies have a formal process for updating and communicating security and compliance policies for transferring files electronically. Yet, a larger percentage of non-IT personnel (75.5 percent) versus IT management (61.9 percent) believe employees/coworkers fully understand these policies. While IT management takes a dimmer view regarding comprehension, on average, roughly 1 in 3 of respondents felt employees/coworkers do not fully understand these policies.

Email Encryption and Mobile Devices
• Although 94.2 percent of IT management said workers can use mobile devices for corporate email, only 62 percent of non-IT personnel agreed — yet most still use these. This implies not only a lack of enforcement and communication of policies, it suggests a large percentage of workers may use mobile devices to send sensitive data intentionally or without knowing if it is allowable.
• Among organizations with email encryption capabilities, 44.4 percent still lack the ability to send and receive encrypted email from their mobile email client.
• Only 44 percent of respondents said their company has a BYOD policy, even as 86.7 percent of these same organizations permit the use of mobile devices for email.

Improvement, but Risk Taking Persists
• 71.7 percent of respondents said they now have email encryption capabilities, a 6.2 percent increase over 2012 survey results.
• Confidence in compliance has grown as well: 48.1 percent feeling “very” confident their company would pass a compliance audit, compared to 37.5 percent a year ago.
• Of the 80.9 percent of respondents who said their company has security and compliance policies for transferring files electronically, 59 percent described enforcement as “very aggressive,” a nearly 12 percent increase over 2012.
• Despite improvements, 79.5 percent of respondents believe employees/coworkers routinely or occasionally violate security and compliance policies for transferring files electronically.

“It’s good to see improvements in security and compliance since last year, but serious problems remain and new ones have cropped up,” said DataMotion’s Chief Technology Officer, Bob Janacek. “There’s always a demand for new tools such as email on mobile devices — companies and workers look for better ways to get the job done. The challenge is to provide encryption and filtering tools that are easy for people to use, and dependable so they don’t get disabled.”

“IT has to keep pace, which is why the communications disconnect with non-IT employees, as well as the risks being taken, require immediate attention,” Janacek said. “Furthermore, regulatory developments in many industries have expanded; meaning companies not previously covered, might be now. Failing to comply can be devastating.”

Click here to register for the report.

Leave a Reply

You must be logged in to post a comment.