IT departments rely on several different policies to keep systems up and running and protect company data. Unfortunately, IT policies are only as effective as the users who are expected to follow them.
And often, users completely ignore IT policies — either because they aren”t aware of them or because they simply choose not to obey the rules.
That can create big threats to security, cause new legal issues and prevent the company from making sure its IT resources are used efficiently. To avoid those risks, IT managers must focus on educating employees about policies, as well as boosting enforcement and technical controls.
These are the IT policies users seem to have the hardest time following:
1. Rules against online file sharing
Cloud computing can bring big benefits to organizations. When the right cloud service is chosen, it can give the company access to more powerful IT tools at a lower cost and improve agility and scalability.
But for every robust, business-oriented cloud computing service out there, there are several cheap or free consumer-focused services that don”t have the security or back-up features necessary to protect critical and sensitive data. And many people are using those services at work.
Most IT managers (70%) believe or suspect employees in their company are that haven”t been approved by IT, according to a recent survey from research firm Enterprise Strategy Group (ESG). That”s despite the fact that 77% of the companies in the survey have policies forbidding the use of those services.
The most commonly used cloud-based file sharing service, according to ESG: Dropbox. That service was recently hit by a data breach that could have exposed information uploaded by users.
In addition to a greater risk of data breaches, those consumer-grade services don”t allow IT to control what data users upload and don”t let companies make sure data is deleted once it”s no longer needed or when the user leaves the company.
The solution: Employees are using those services for legitimate work reasons — i.e., to share documents and collaborate with co-workers. And even when IT blocks them, users can still find ways to use those services through personal mobile devices or uncontrolled WiFi networks. Therefore, if there”s a demand for this kind of service, most experts recommend deploying an enterprise-ready solution.
2. Social networking policies
Companies often have some type social networking policy, whether the goal is to ban employees from vising Facebook, Twitter and other sites while at work, or just to limit what people say on public social networks.
The problem: If those policies are too strict, many users simply won”t listen to them.
Even if IT blocks those sites on company computers, many users will simply visit them on a personal smartphone or tablet while they”re at work.
Three-quarters of employees use personal devices to access social media at work, with 60% saying they check Facebook, Twitter and other sites multiple times per day, according to a report from HR software vendor SilkRoad. That’s despite the fact that only 43% of the 1,105 people surveyed said their employer allows access to social media at work.
The solution: If social networks are used the wrong way at work, it can cause problems including security threats, lost productive and legal issues related to what employees reveal online. That”s why experts warn companies should have a clear social networking policy and train users to recognize phishing attacks and other threats. However, it”s also important to recognize that blocking all access without a real need can cause additional problems.
3. Password policies
While users have a tough time following many IT security policies, the ones they seem to have the most trouble with are the rules requiring strong, secure passwords.
Study after study shows that users rely on basic or default codes such as “password” and “12345″ to protect their business accounts. Even when IT has controls at its disposal to enforce some level of complexity, users will often gravitate toward to simplest password that the rules allow (for example, “Pa$$word1″).
The solution: In many cases, users may not know what the password policy is or why it exists — for example, they may not be aware of hackers” dictionary attacks that can easily let them access an account secured with a simple password. Educating them on the reasons for the password rules — and offering help for creating secure yet memorable passwords — could get more people on board. Also, many experts warn that in cases where more security is needed, companies should stop relying just on passwords and use two-factor authentication.