New research suggests policies that fail to account for the realities of employees’ differing priorities and daily responsibilities are more likely to be ignored or circumvented, increasing an organization's data breach risks.
The reason employees violate information security policies (ISP) may be rooted in a mismatch of priorities, according to new research from Binghamton University, State University of New York.
Organizationwide security policies that do not account for the realities of different employees’ priorities and their daily responsibilities are more likely to be ignored or circumvented, increasing data breach risks.
“Every organization has a culture that is typically set by top management. But within that, you have subcultures among different professional groups in the organization,” said Sumantra Sarkar, associate professor of management information systems in Binghamton University’s School of Management. “Each of these groups are trained in a different way and are responsible for different tasks.”
In health care, for example, where patient health data is highly confidential, compliance with hospital security policies about locking unattended workstations varies for physicians, nurses and support staff, the researchers found.
“Physicians, who are dealing with emergency situations constantly, were more likely to leave a workstation unlocked. They were more worried about the immediate care of a patient than the possible risk of a data breach,” Sarkar told BingU News. “On the opposite end, support staff rarely kept workstations unlocked when they were away, as they felt they were more likely to be punished or fired should a data breach occur.”
Because each subculture responds differently to the blanket security policies, security teams should identify and consult with each subculture to develop more effective ISPs that introduce less friction.
In a hospital, for example, touchless, proximity-based authentication could lock or unlock workstations when an employee approaches or leaves a workstation. Sarkar suggested.
“There shouldn’t be situations where physicians are putting the entire hospital at risk for a data breach because they are dealing with a patient who needs emergency care,” he said. “We need to find ways to accommodate the responsibilities of different employees within an organization.”