According to an end user security survey released this morning, 72 percent of employees are willing to share confidential information. In the financial services sector, the percentage was even higher – 81 percent said they should share sensitive, confidential or regulated information.
This is despite the fact that 65 percent said that it was their responsibility to protect confidential data.
“There is an acknowledgment by employees that security is important,” said Brett Hansen, vice president for endpoint and data security at Dell, the company that sponsored the survey. “But their actions are not consistent with good data security.”
The majority of employees also accessed personal social media accounts and personal email from work devices.
Employees also felt that the companies’ security policies were getting in the way of them doing their jobs, with 76 percent saying that their employers prioritized security over productivity.
“This survey validated what I hear directly from the companies,” said Hansen. But he was still surprised, he said, by the degree of risks that employees were taking.
“So they feel responsibility, unless it gets in the way of productivity, unless it’s not good for me,” he said. “I’m embracing security — as long as it doesn’t encumber me in any substantial way.”
At least, when it came to sharing information, the employees thought they had good reasons — they were told to do it by their managers, they thought it would help the company, they thought it would help them be more effective in their job, or they were helping out the recipient.
But 35 percent also said that it’s common to take proprietary information with them when leaving a company.
“They felt that it would be good for them,” said Hansen. “I don’t know if that’s an excuse or an admission of ‘Hey, I’m doing what’s best for me.'”
The survey also showed that a large number of companies are doing security awareness training, with 63 percent of employees reporting some form of training.
This was the first year of the survey, Hansen said, so there wasn’t historic data to compare to. “But having seen other research, I do think that the number is increasing, and more and more companies are conducting security training.”
However, of the those who received training, 18 percent were still making bad security decisions because they didn’t realize they were doing anything wrong — and 24 percent did it knowing it was wrong because they wanted to get their jobs done.
One surprising result of the survey was that when it came to inappropriately sharing confidential information, those who received the training were actually more likely to do it — 73 percent, versus 62 percent.
Similarly, those who received security training were also more likely to take information with them when they leave a job.
That doesn’t necessarily mean that security training causes employees to behave badly, said Diane Hagglund, principal researcher at Dimensional Research, the company that conducted the survey.
“The survey results do show that required cybersecurity training goes hand-in-hand with increased tendencies towards information sharing, and this is an unintuitive finding for us,” she said. “However, we would emphasize that this is correlation – not necessarily causation.”
For example, there might be other factors involved. For example, companies where employees engage in risky behaviors may be more likely to have security training.
“It would be irresponsible to definitely conclude that training efforts directly result in worse employee behavior,” she said.