Here are the biggest three reasons folks flout tech-security policies:

1. They don’t know the rules. No doubt your IT people have a security in place and have publicized it. But many policies have their fair share of gray areas, and that’s where you can get in trouble. For example, a worker has a large file to transmit, and your company e-mail keeps getting hung up because of the size of the file. G-Mail’s forbidden by your company policy, but if that’s the only way to get the file to the customer, is it OK? That needs to be clarified.
2. They know the rules, but no one’s enforcing them. If employees know there are no consequences for bending or even breaking the rules, there’s little motivation to play by them. Yes, your IT policy should have some teeth. But you want people to understand that if they access work files from a public computer, say, at a conference, they’re putting your financial data at risk.
3. The rules get in the way of productivity. Weren’t computers supposed to make folks more productive? But when IT blocks downloading or distribution via e-mail, you can bet employees will find a way to work around that. Bottom line: IT must be sure people have the tools they need to do their jobs — securely.

Source: “3 Reasons Why employees Don’t Follow Security Rules,” by Joan Goodchild. (www.csoonline.com)

What technology creates the biggest legal and financial risks for employers? Hint: It’s something most employees use multiple times a day.

That’s right: e-mail. Outgoing messages containing confidential, offensive or otherwise embarrassing content are increasingly causing big problems for organizations.

In the past 12 months, 44% of U.S. companies have had to investigate a violation of e-mail policy that posed a legal or financial risk, according to a recent survey by data security firm Proofpoint. Those situations most commonly involved:

• Obscene and offensive adult content (28%)
• Confidential information about the company (27%)
• Personal data about employees or customers (20%), and
• Intellectual property or trade secrets (12%).

More than a quarter of companies have fired an employee for one of those e-mail blunders.

And the companies that didn’t perform any investigations weren’t necessarily safe, either. The companies surveyed estimated that, on average, almost one in five (19%) outgoing e-mails sent at work contain potentially dangerous content.

New technology, new threats

It isn’t just e-mail that’s creating problems for employers — other types of technology are to blame for the leak of information. In the past year:

• 21% of companies have suffered a confidential data exposure through an employee’s use of a blog or online message board, and
• 12% have had an employee post dangerous content to a social networking site.

Ways to protect your company

Minimizing those threats requires cooperation between HR and IT. Here are some specific steps employers can take:

• Create policies – The first step toward protection is to tell employees what they’re prohibited from writing in e-mails or posting online.
• Discipline when you have to – One reason employees continue to write things they shouldn’t is they aren’t aware they can be punished or fired for it. That’s why it’s key to consistently deal with policy violations when they’re uncovered.
• Monitor outgoing e-mail – Many organizations install software to flag messages with certain keywords or periodically audit outgoing messages. Some larger companies hire full-time staff to read and analyze employees’ e-mail. Whichever method is used, it’s important for IT to be aware of what’s leaving the e-mail system.
• Search for blogs and other sites – One strategy for finding employees’ blog posts and other online writing is to plug your organization’s name into a search engine and look through the results.

A full report of the survey is available here (registration required).

Almost half (44%) of companies have to investigate a leak of sensitive information at least once in the past year, according to a new survey by Proofpoint, Inc. Most instances involved confidential data being shared with the wrong people via e-mail.

Some other dangers companies have been concerned about:

• Lost or stolen mobile devices holding corporate data
• Employees sharing too much on blogs or online message boards, and
• The uploading of data to media sharing sites like YouTube.

How are companies dealing with the dangers? According to the survey, strictly enforcing internal policies, with many employing an IT staffer to monitor e-mail or installing software to search for potentially dangerous messages.

You can read the whole study here (free registration required).