Most employees bypass data security controls to do their jobs
Over 68 per cent of employees admit to bypassing their employers' information security controls, according to research from IT Governance Limited, and that even in some of the most security-conscious organisations, managers 'fail to understand the correct balance' between 'confidentiality and availability of information'.
By implementing the wrong policies and procedures, they are potentially putting their organisations at risk and risk 'undermining the legitimacy of information security' in employees' eyes.
IT Governance Limited polled 130 technology and compliance professionals on issues concerning the UK Data Protection Act (February 2008). The full findings of this survey will be published next month (April) in 'Data Breaches: Trends, Costs and Best Practices', the first of IT Governance's new series of Best Practice Reports.
The research found that most organisations appeared aware of their responsibilities under the Data Protection Act, with over 80 per cent having a data controller or someone responsible for maintaining privacy, while 82 per cent of organisations had clear policies and procedures for protecting personal data, including documented procedures (68 per cent of organisations), formal procedures (57 per cent) and informal procedures (24 per cent).
However, 21 per cent had policies and procedures certified to best practice standards, such as ISO27001, indicating that respondents represented organisations that are particularly well-managed in the field of information security. Nevertheless, the high incidence of employees 'deliberately circumventing policies and procedures' indicates that many of the measures introduced by management are 'unduly obstructive', either in design or implementation, the report avers.
Organisations also differ in the comprehensiveness of their data security regimes. While 89 per cent cover access to personal data, only 56 per cent govern detecting and reporting data losses, while just 39 per cent extend to correcting data loss incidents.
With 96 per cent of the organisations represented holding personal information about customers, patients or other individuals, the need for Data Protection Act compliance is clear: of these, 56 per cent hold payment card or other financial information; 39 per cent hold sensitive personal information (ethnicity, religion or political affiliation); and 36 per cent hold medical information. However, only 55 per cent of employees handling personal data have been trained in their legal responsibilities in respect of this information.
Image: Wrong policies and procedures risk 'undermining the legitimacy of information security' in employees' eyes
What do you think about the issues raised in this news story? Share your views at the Information Professional discussion forum.
More IT industry news from the IET