Druva Blog > Industry Insights

Research Confirms: Don’t Trust Your Users to Comply With Security Policies

It’s not like this is a surprise to experienced sysadmins: If you care about your company’s security, particularly with regard to mobile devices, don’t expect your users to follow the rules. But now we’ve research to back that up.

According to a recent survey of U.S. IT professionals, conducted by Ponemon Institute and Lumension, the primary reason that IT departments have difficulty managing security risks on smartphones, tablets, and laptops is employees not complying with security policies. That’s the case even though 78% of survey respondents feel that employees who don’t follow security policies are a threat to mobile security.

Although IT security risks are growing most rapidly on mobile devices such as smartphones, few organizations have governance and control processes to stop attacks on these devices. And when such policies exist, reports the study, “2015 State of Endpoint Report: User-Centric Risk,” 70% of IT professionals have endpoint security policies that are difficult to enforce. Other enterprise endpoint security threats high on Ponemon’s list include the use of commercial cloud applications, BYOD, and employees who work remotely.

So, why are employees the biggest source of risk? For most people, endpoint security isn’t top of mind; they — we! — want to get work done. Most of us, when faced with a security policy, just sign it or click “Agree.” Unless you’re an IT or security professional, chances are you don’t take the time to read all that fine print. But maybe you should, because getting fired for failing to comply with security policies is a real possibility.

“People say the solution to security and data privacy concerns is putting policies and procedures in place, but that means putting the responsibility in the hands of individuals and expecting them to strictly follow those guidelines,” says Dave Packer, Druva’s director of product marketing. “Unfortunately, you can’t trust people to always follow regulations. Technology needs to help companies enforce its regulations by filling in those holes wherever it can.”

It would make a big difference if IT had better control over those governance and control processes. According to the survey results, 72% believe that attacks on an organization’s devices can be stopped by implementing a combination of technologies, processes, and in-house expertise.

Want to know more about keeping corporate data safe on mobile devices? Read our white paper: The Essential Security Checklist for Enterprise Endpoint Backup.


  1. acdha 5 years ago

    The other side of this is that many IT groups set policy for security without considering usability or productivity as equal weight concerns. The textbook example are the places which set onerous password policies requiring high-complexity long passwords and frequent changes, ban the use of password managers, and then complain when they find that all of their users are doing something like incrementing a serial number at the end of their old password because it’s hard for humans to memorize new high-entropy strings every month. A productivity-focused security group would do things like deploying single-signon to reduce the number of times someone has to re-enter a password, two-factor authentication so you get better security than password rotation offers with a much better user experience, and keep the IT side up to date with measures like anomalous login monitoring and defense in depth so the security of the enterprise isn’t so critically dependent on passwords.

  2. I'mnot georgel 3 years ago

    You can tell how important the security policies are to organizations and how important having employees follow them by totaling up the time spent making the policies user friendly and spent explaining them to the users and training users on how to follow them. The usual amount of this training and explanation is none or very little.

Leave a reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.