Research Identifies Gap in Policy Awareness of Employees, Shows 1 in 4 Companies Lacks Security Policies

SAN JOSE, Calif. - October 28, 2008 - Cisco today released a second set of findings from a global study on data leakage, revealing the prevalence and effectiveness of corporate security policies within companies and the reasons employees break or comply with them. The study enables information technology teams in various parts of the world to understand employee risk factors so they can effectively tailor policies that fit the reality of what their users need to do their jobs.

The latest security findings follow the first wave of research announced last month on common employee data leakage risks and mistakes around the world. The findings on corporate security policies stem from surveys of more than 2,000 employees and IT professionals in 10 countries: the United States, the United Kingdom, France, Germany, Italy, Japan, China, India, Australia and Brazil. Conducted by InsightExpress, a U.S.-based market research firm, the security study was commissioned by Cisco at a time when data loss ( is one of the most prominent concerns of businesses. As lines blur between work and home, and as employees use collaborative applications and mobile devices, the role that security policies play in protecting sensitive data becomes increasingly critical.

"This study reinforces the need to revisit corporate security policy and how that policy is communicated", said John N. Stewart, chief security officer for Cisco. "When employees believe that security policy is unfair, in the way of them doing their jobs and don't grasp the 'why', then policies quickly lose their efficacy. Too often we write policies as rules, not as reasons, and if brought together with awareness, education and communication, then it unmasks why policies are necessary, critical and help. By engaging with employees and understanding what they need to do their jobs, we can develop realistic policies that work more cohesively and effectively with corporate security, ultimately resulting in a more secure environment."

The Findings: A Matter of Policy

Fortunately, the research found that a majority of businesses (77 percent) have security policies in place. However, for the one business in four that does not, the trends of mobility, collaboration and workforces without borders present a more urgent concern as those businesses attempt to set official policies for how and when to access corporate data, applications and networks. The absence of security policies is most prevalent in Japan (39 percent) and the United Kingdom (29 percent).

But even when companies have security policies, the research reveals that employees often defy or ignore them. More than half of the employees surveyed admitted that they do not always adhere to corporate security polices. Of all the countries, France (84 percent) has the most employees who admitted defying policies, whether rarely or routinely. In India, one in 10 employees (11 percent) admitted never or hardly ever abiding by corporate security policies. Several factors influence employees' decisions to adhere to or break corporate security policies:

"This decision employees make to either adhere to policies or sidestep them to complete their jobs presents a noteworthy challenge to IT," said Marie Hattar, vice president of Network Systems and Security Solutions for Cisco. "IT needs to reshape security policies to meet the real needs of businesses and employees, or they risk a policy breakdown and a greater risk for data loss and breaches."

According to the research, breaches affect more than just companies in question. One of the more sobering findings is that of the IT respondents who dealt with employee policy violations, one in five reported that incidents resulted in lost customer data.

Today, Cisco security executives will present the study's findings in greater detail and share their approach to establishing and communicating corporate security policies. The company will host an Internet TV broadcast with media and industry analysts from 8 to 9 a.m. PDT.