Despite investment in cyber security, employees are still putting organisations at risk, according to new research from Databarracks

A new study reveals that nearly two thirds (61 per cent) of IT decision makers believe their employees regularly circumvent company security policies. Despite the fact that over half of those surveyed have invested in safeguards to protect their businesses against cyber threats in the past 12 months, careless employee behaviour could be leaving many organisations exposed to risks.
The findings are part of Databarracks’ sixth Data Health Check report, which surveyed over 350 IT decision makers in the UK.
When asked how often they thought their employees flout security polices (such as taking company data offsite, fabricating or omitting information on sign-in sheets and keeping written records of passwords) 61 per cent estimated their workforce side-step such practices at least once a month, with around a third (28 per cent) saying it’s daily or more.
These results can be considered in contrast to other findings from the report; over half (59 per cent) have invested in safeguards in the past 12 months to protect against cyber threats like malware, viruses and phishing attacks. However, if employees are commonly circumventing the security practices put in place by company IT departments, these protocols may not be as effective as hoped.
Oscar Arean, technical operations manager at Databarracks, commented on the results: “We expanded the remit of the Data Health Check this year to look at how IT departments approach cyber security, and how their users experience (and respond to) their approaches. The results have been pretty damning, with IT managers seriously lacking confidence in their employees’ commitment to their security plans. If they’re correct, then their businesses will be left exposed to cyber threats, as well as other more traditional threats such as social engineering. It may be no coincidence that two thirds (66 per cent) of those we questioned had been affected by a cyber-threat in the past 12 months. No amount of investment in cyber security policies can make up for poor employee habits; IT managers need to address this issue if they are to secure their organisations from malicious threats.”
Arean suggests communicating cyber risks more clearly throughout the organisation and opening a conversation with employees to improve the plans in place: “Employees that flout security policies are unlikely to be purposely trying to threaten the business – they either don’t know the consequences of their actions or they feel too restricted by the policies that are in place. Despite the rise in ransomware, there is a blind ignorance to security in the sense that people just don't realise the consequences of the actions they take. Awareness training is used to address security concerns but is typically only done yearly or as part of the initial induction. In order for it to be effective, it needs to be carried out much more regularly.”