Employees consistently breach security policies, report finds

Employees always breach security policies and are less likely to take a job with strict security policies, according to a report by Cisco released today.

The report reveals that more than half of the over 500 IT security professionals polled in the survey were aware of their employees using unsupported applications, primarilly social networking, but collaborative, peer to peer, and cloud services also featured high on the list. Nineteen percent saw social networking as the biggest security risk.

Forty-one percent said that their employees were using unsupported network devices, such as smartphones, while a third of that number said there was a breach or loss of information due to these unsupported devices.

Despite this, 53 percent have planned to allow personal devices to be used within the company network, while seven percent already allow them.

The report also found that nearly three quarters discovered that overly strict security policies had a negative impact on hiring and retaining employees under the age of 30.

TechEye spoke to Maurizio Taffone, Borderless Network Technical Product Marketing Lead at Cisco Europe, about the findings.

He told us that traditionally security polices tended to be too strict, depending on the company, but that Cisco found that the majority of IT employers, particularly in India and China, found that hiring and retaining employees was negatively affected by such a limited approach.

He said that the intellectual property and business processes of a company need to be protected, but Cisco advices its customers to take a balanced and flexible approach to security. He gave an example of one business using a Second Life environment to train its employees on security.

Taffone said there is a definite negative impact from overly restrictive security policies and that security decision makers need to refine their company’s policies to adapt to changes within the work environment. He said that too leniant security policies are also a problem and that companies need to measure up the need and potential benefit against the acceptable risk. He mentioned that Cisco’s Validated Secure Borderless Network Systems is one way of doing this, which offers a secure fundation and simplified solution for routing, switching, security, and mobility.

He said that social networking, the biggest factor revealed in the report, is neither good nor bad and that Cisco has a strong social networking presence, which allows for an extremely powerful way to communicate with customers, partners, and employees, ultimately adding to productivity. He compared it to some companies using a large internal forum for discussion and advertising internal news and positions. 

He qualified these remarks by saying that it does provide additional challenges to security, such as in the example of details of a new product launch getting into the wrong hands due an an employee checking their smartphone in a public place. He said that common sense is needed here so that employees do not work on confidential material in an unsafe environment.

Enforcing security over multiple devices is adding complexity to the situation. Taffone told us that a multi-vendor approach is needed, such as Cisco’s VPN client Anyconnect or the recently announced Cisco Developer Network. Other systems that could be put in place include an ASA firewall and Ironport filtering solutions. 

He said in order to develop intelligence within a network so that it knows what devices to trust and what policy provisions to provide a system such as Trustsec needs to be in place. Static systems need to be replaced by dynamic ones that can adapt to the situation and allow for easy remote access while maintaining a highl level of security.

He said that when it comes to the fine balance between security and access in a workplace there is a vehicle of threat, but there is also a vehicle of defence.