Compliance officers and IT managers know that putting the policy set in place is the relatively easy part of the process of bringing an organization into compliance with a given set of requirements. Then comes the series of battles. What can you get users to agree to willingly? How many repetitions of the requirements and their effects on the business will be necessary before the info sinks in? And how long before the interest level fades enough that users feel that a workaround or cheat that’ll make their day-to-day tasks a bit smoother is worth the potential risk?
And if you’re not monitoring access or files, or aren’t getting the level of confidence you require by doing so, how do you find out more about what employees might be trying? User surveys, carefully constructed, can give you a surprising amount of insight and clues to follow up on, without damaging your users’ willingness to comply.
In a recent survey of IT and business decision-makers on the topic of compliance practices in email and file transfer habits, data delivery service vendor DataMotion found that though 80 percent of its survey respondents have file transfer security and compliance policies in place, only 45.5 percent of them feel that users understand those policies. Frankly, this type of number isn’t too surprising. Folks who’ve been working in IT for any length of time have seen similar survey results, or have experienced similar levels of frustration firsthand within their organizations toward policy effectiveness. Employees are busy, policies are complicated and normally introduce unwanted change to processes, and it takes time to communicate not only what will be done, but why it will be done. Increasing that percentage of employees who understand the policies requires repetition and time. DataMotion’s survey didn’t address the tightly related question of which education methods were or weren’t chosen within these organizations, so we don’t know how mature their policies are or whether they were thrown at users with no follow-up, other than technological tools, like encryption, monitoring, filters and the like.
What did stick out, though, was one interesting type of question that can help compliance officers measure progress in creating the desired compliance-oriented culture. In this particular survey, 84 percent of respondents said they believed employees and co-workers routinely or occasionally violate security and compliance policies. That’s a huge percentage, and even if some respondents are mistaken about what they believe others are doing, it reveals a trend to be investigated.
Would 84 percent of employees rat themselves out for circumventing the policies in question? Probably not. In DataMotion’s survey, 34.2 percent did cop to using or recommending consumer file transfer services, presumably not authorized under their file transfer policies. Not a very comforting number to see, but still significantly lower than 84 percent.
Following up on this type of finding is a tricky task, to be sure, but by constructing user surveys that are less accusatory and more focused on gaining an understanding of the overall attitude of users toward the policies in question, compliance officers can then tailor a combination of education and technology to guide the entire staff toward a pattern of behavior that isn’t breaking policy and endangering the organization’s future.