UK employees still fail to follow IT security policies

it security

According to research senior IT decision makers say that more cyber risks are being created outside of the IT department’s visibility; yet it remains IT’s responsibility to mitigate these risks.

The survey found that organisations need to better define and enforce corporate policies company-wide, addressing risks like shadow IT and bring your own device given today’s increasingly mobile, agile workforce.

Recent sprawling attacks like WannaCry that affected organisations worldwide, as well as direct attacks on organisations of all sizes and in all industries, have demonstrated the significant organisational damage they cause. In the wake of data breach pandemics at levels seen over the past year, most organisations should take stock of the security controls they currently have in place and work to understand where their exposure points exist, and how to remedy them.

The research found that over half of respondents believe that one of the key reasons that non-IT departments introduce the most risk is that they often lack the understanding of what actions and behaviours lead to risk. Using unsecure mobile devices and adopting unmonitored SaaS applications are two examples of such risky behaviour. While the majority of these risks are being created outside of IT’s view, it is still IT’s responsibility to mitigate the risks associated with them. According to the survey, 7 out of 10 organisations have embraced BYOD and SaaS application adoption, while only 53 per cent have formal policies in place to protect corporate data.

While organisations may create policies to govern access that help secure the enterprise, there is often a disconnect between what is defined as policy and what is actually enforced. Of the companies that have policies in place, 3 in 10 say that their users are not following them. With 74 per cent of respondents concerned about BYOD and shadow IT as organisational exposure points, it’s clear that enterprises need to better enforce corporate security policies company-wide.

More than 6 in 10 of respondents agree their organisation’s data would be less exposed if they were better equipped to manage it. Over 6 in 10 of respondents whose organisation has introduced an identity governance solution believe it will result in a more automated and efficient organisation, while around over half hope to improve business enablement.

With cloud adoption accelerating for most enterprises, control over exposure points is needed across the entire IT environment, both on-premises and in the cloud. Although many enterprises are moving to the cloud, they still have a variety of legacy applications that will remain on-premises, creating a complex, hybrid IT environment that still needs to be managed and governed holistically. This is why building a cybersecurity programme that puts identity at the centre of that strategy is more important than ever for today’s modern enterprise – it gives enterprises that single view into all users’ access to all data and applications, no matter where it resides.

“Our Market Pulse Survey uncovered an interesting ‘identity trilemma’ – multiple departments within an organisation are adopting their own SaaS solutions to appease business users through shadow IT, all while not properly adhering to company security policies,” said Juliette Rizkallah, CMO, SailPoint.

“This is a dangerous combination that creates serious exposure points for companies today. Identity governance is still the key in protecting these points of exposure and mitigating the risks inherent in today’s hybrid IT environment. For enterprises to have full visibility into who has access to what, understanding the ‘who’ in that equation is more important than ever. This is why putting identity at the center of security strategies is the best approach for defending and protecting today’s modern enterprise.”