Two-thirds of IT decision-makers fear employees regularly circumvent security policies

Training remains a critical form of defence against cyber-attacks.

  • 5 years ago Posted in

Organisations are leaving themselves unnecessarily exposed to significant security risks. This is according to data from, Databarracks, revealing over two-thirds of IT decision-makers believe their employees regularly flout internal IT security policies.

With industry practitioners speculating on how the cyber security landscape will evolve in 2020, Peter Groucutt, managing director of Databarracks, highlights why training is still a critical form of defence against cyber-attacks. 

“People are often the weakest link in the information security chain and to prevent your organisation being caught, it’s important you make employees aware of the risks. Our research has revealed two-thirds (67 per cent) of IT decision-makers believe their employees regularly circumvent company security policies.”

Groucutt continues, “Employees flouting security policies are never deliberately threatening the business – either they don’t know the possible consequences of their actions or feel too restricted by the policies in place. In any case, this neglect for security leaves an organisation exposed to threats.

“To reduce the danger, there are practical steps an organisation can take. Firstly, to develop a culture of shared responsibility, where the cyber security burden doesn’t just rest with the IT department. We understand this in the physical working environment – an unknown person would not be allowed to walk in to an office, and start taking belongings unchallenged – so why should digital security be any different? 

“Secondly, lines of communication between the IT department and the rest of the business need to improve. For users to feel like they are part of the solution, they need to be aware of the ongoing battle IT face. Often, IT teams handle incidents in the background with only key senior individuals being informed, but if threats aren’t communicated internally to all employees, they won’t know how to change their behaviour in future. The IT department has a responsibility to educate the entire business on why an incident took place, what the implications were and, most importantly, what can be done to prevent this from happening again.”

Groucutt continues, “When security processes hinder an employee’s performance, they will often find a way to get around them to get a job done quicker. To avoid staff taking the easy route security must be built into an organisation’s overall strategy and communicated down through employees’ objectives. Equally, IT need to be receptive when policies are flagged for being too restrictive. That creates the dialogue and an understanding of a shared goal for IT and users.

“Finally, regular training and education is vital. Awareness training is typically only carried out annually or as part of an initial induction, but this should be increased. Employees need ongoing security refreshers throughout the year, at least twice annually, to address any new threats, and ensure security remains front of mind.”

Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Atos has launched Atos OneCloud Sovereign Shield, a set of solutions, methodologies, and...
New distribution agreement set to bolster Westcon-Comstor’s Zero Trust offering in more markets...
Research from Avast has found that employees in almost a third (31%) of Small and Medium...
This year, over half of MSPs or their end customers have been attacked by ransomware but only 53%...
Trend Micro has published new research revealing that 90% of IT decision makers claim their...
Cyber consultants call on businesses to act now, or risk budgets shrinking further in ‘real...