Lack of policy awareness

11 Nov 2010 - New survey findings

The CISCO study, which involved surveys of 2,600 workers and IT professionals in 13 countries, revealed that while most companies have IT policies (82 percent), about one in four employees (24 percent) are unaware that such policies exist.

An additional 23 percent reported that their companies do not have IT policies on acceptable device usage. When combined, almost half of the workers in the study (47 percent) either do not have an IT policy on device usage or do not know that one exists.

For those employees who have an IT policy, 35 percent say IT does not provide an explanation or rationale for why it exists, which can result in apathy, misunderstanding and selective compliance.
Among workers aware of IT policy, about two of three (64 percent) feel it could use some improvement. These employees believe policies could be updated to reflect real-world needs and work styles, such as finding an acceptable medium between device usage, social media, mobility and work flexibility.
Of those employees who admit to breaking IT policies, about two of every five (41 percent) say it's because they need restricted programs and applications to get the job done – they're simply trying to be more productive and efficient.
One of five (20 percent) employees worldwide said they break IT policy because they believe their company or IT team will not enforce it.
This research points to an issue among many businesses worldwide: the need to re-evaluate and update IT policies to align with the growing reality of a workforce that is demanding more enablement to be connected anywhere, anytime, with any device and any information in their work and personal lives.

NETconsent View

The CISCO report provides new evidence of a massive disconnect between IT policies and workers. This problem is not new, but one of growing concern for organisations looking to maintain regulatory compliance. As seen in the numerous security breaches reported over the last few years, a lack of awareness and understanding of policies has been at the heart of many corporate governance failures.

Unwieldy communication methods mean crucial policies remain an organisation’s best kept secret. This may appear to be to an organisation’s advantage. After all, who wants to promote out-of-date and irrelevant documents? However, employees confused about their responsibilities are more likely to make mistakes. These may result in lost productivity, revenue and reputation or incur litigation fees and regulatory penalties.

NETconsent, the leading vendor of policy management software, is regularly asked to show how policy communication may be failing within an organisation. The most common problems identified support the CISCO report findings:

Common Failings for Policy Communication

1. A lack of policy awareness	No enterprise approach to policy management creates silos of information within departments. The majority of employees don’t know where to find policies.
2. Lack of employee engagement	People don’t prioritise policy compliance. For example, one Local Council sent out emails to 3,500 employees asking people to read a policy on the intranet. After 5 months only 40 people had made the time to do so. Follow up of non-participants becomes too labour intensive and costly to pursue for multiple policies.
3. Policies unfit for purpose	Policies tend to be complex, jargon-packed documents that run into tens, if not hundreds, of pages. These documents often include a jumble of policy, operating procedures, guidelines, forms and other reference materials. This makes it difficult for employees to read and comprehend the crucial core message and why it is important.
4. Out-of-date policy information	Traditional distribution mechanisms are administratively burdensome and seemingly ineffectual. Therefore evaluation and update of IT policies to align with emerging security threats and the demands of modern working practices is not systematically undertaken on a sufficiently regular basis.
5. Lack of Enforcement	Management turns a blind eye to lapses in policy adherence, because policies are out-of-date, unclear or impractical to follow. Apathy and selective compliance puts organisations at risk.

Robin Saunders, Managing Director of NETconsent asserts, “Unless there is a strong culture of compliance, or people are at least aware that a failure to comply with the policy management process will impact on them directly, only cursory attention is paid to the compliance process.” It is unsurprising therefore that nearly 50% of respondents in this study either believed that their organisation did not have an IT policy on device usage or were unaware that one actually exists. Such a stance seems the perfect excuse for individuals should something goes wrong. But Mr. Saunders insists “Ultimately it is the Board which will be held accountable when things go wrong. It is part of a Director’s duties to instigate appropriate measures, which maintain and prove good corporate governance.”

Organisations that really want staff to read, understand and sign up to IT policies are turning to automated policy management software to raise standards of policy compliance and provide managers with practical tools to improve policy uptake and adherence.