Among the findings is a far-reaching communications disconnect between IT management and non-IT employees on security and compliance policies. This encompasses such critical areas as effective communication of policies, as well as the use of free consumer-type file transfer tools and corporate email on mobile devices.
Additionally, the survey showed a disturbing percentage in IT management knowingly taking compliance risks and even turning off essential capabilities due to technology issues. At a time when very significant penalties are being levied against organizations of all sizes for non-compliance and data breaches, C-level executives should take notice.
The survey polled more than 400 IT and business decision-makers across the U.S. and Canada. It particularly focused on those in industries that routinely deal with sensitive data and compliance regulations, such as financial services, healthcare and government.
Key highlights include:
IT managers face communications disconnect
- An overall telling sign of disconnect is the confidence level respondents had in their company's ability to pass a compliance audit: non-IT employees are much more confident (65.2% are "very" confident) than those in IT management (46.6%).
- Both IT and non-IT respondents overwhelmingly said their companies have a formal process for updating and communicating security and compliance policies for transferring files electronically. Yet, a larger percentage of non-IT personnel (75.5%) versus IT management (61.9%) believe employees/coworkers fully understand these policies. While IT management takes a dimmer view regarding comprehension, on average, roughly 1 in 3 of respondents felt employees/coworkers do not fully understand these policies. This suggests IT management needs to more effectively communicate policies, and create greater awareness of risks and fallout from violations, particularly with non-IT employees.
- 51.6% of IT management said free consumer-type file transfer services are forbidden at their companies. Yet, only 24% of non-IT workers reported that to be the case.
- Although 94.2% of IT management said mobile devices for corporate email are allowed, only 62% of non-IT personnel agreed - yet most still use these. This implies not only a lack of enforcement and communication of policies, it suggests a large percentage of workers may use mobile devices to send sensitive data intentionally or without knowing if this is permitted.
- Among organizations with email encryption capabilities, 44.4% still lack the ability to send and receive encrypted email from their mobile email client.
- Overall, only 44% of respondents said their company has a BYOD policy, even as 86.7% of these same organizations permit the use of mobile devices for email.
- While 56.1% of IT management said they have a BYOD policy in place, 74.9% of non-IT employees say they either don't have a policy or are unsure, another clear indication that policies are not being effectively communicated.
- 71.7% of respondents said they now have email encryption capabilities, a 6.2% increase over 2012 survey results.
- Confidence in compliance has grown as well: 48.1% feeling "very" confident their company would pass a compliance audit, compared to 37.5% a year ago.
- Of the 80.9% of respondents who said their company has security and compliance policies for transferring files electronically, 59% described enforcement as "very aggressive," a nearly 12% increase over 2012.
- Despite improvements, 79.5% of respondents believe employees/coworkers routinely or occasionally violate security and compliance policies for transferring files electronically.
- When asked about their approach to compliance, more than 1 in 5 in IT management (22.3%) said about their company, "we take risks because we don't have the resources to be totally compliant."
- Nearly 2 in 3 (62.6%) in IT management said policy filtering, used to monitor the content of outbound email and file attachments for compliance purposes, causes problems with false positives (unnecessarily encrypted emails). Nearly a quarter (24.2%) admits to having gone as far as to turn off their policy-based filtering.
"IT has to keep pace, which is why the communications disconnect with non-IT employees, as well as the risks being taken, require immediate attention. Furthermore, regulatory developments in many industries have expanded; meaning companies not previously covered, might be now. Failing to comply can be devastating," added Janacek. "These survey findings give us a textured understanding that hopefully will help businesses overcome and anticipate related issues, especially in an age where security and compliance can so dramatically impact the bottom line."
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.