March 17, 2010 - Linda McGlasson

A new poll shows that more than one in 10 U.S. employees says they've known they were violating policies put in place by their company's IT departments, but violated them anyway to get their work done.

The Harris poll, conducted for a mobile asset company, showed that of the 1,347 employed respondents over the age of 18, 12 percent admitted to breaking policy. While the poll was directed at mobile and remote computer use, the findings hold true across the makeup of every organization.

And if one of those policy-breakers isn't on your senior management list, I will guess you haven't looked very hard.

Many information security practitioners know that there are "policy-compliance-rules-weren't-written-for-me" types in their organizations. And if one of those policy-breakers isn't on your senior management list, I will guess you haven't looked very hard.

Why is it so important to stop these scofflaws? Because stop a policy-breaker and you may stop a data breach. Among the most feared threats at any institution are the trusted insiders, as any information security pro knows. These are the employees who have access, as well as the ability to wreak havoc if they turn to the dark side, or even if they make an inadvertent mistake.

Technology plays a part in detecting policy-breakers and evaders. The need for compliance tools to make sure employees are following the rules is clear. Because without them, organizations face breaches, the possible loss of data - either intently or inadvertently, which of course leads to having your name splashed across the news headlines.

How to stop these policy-evaders? Educate and preach compliance to your employees. I don't just mean handing them an information security folder and doing the speech about how important security is, or the annual information security meeting that no one, especially policy-breakers, wants to sit through.

Ever consider putting security compliance as part of everyone's job description and tying it to their job performance? I know it may take a bit of convincing at the board level that this could work, but it would go much further to tell workers that it is part of their job to follow the rules. It's even part of the CEO's job too.