A startling number of technology professionals knowingly ignore security policies or break them because they are unaware of them.

"The key takeaway is that information security policies are not being read, or - if they are being read - are not being understood, or if understood, people may not be following it," said Larry Ponemon, chairman of the US-based privacy think tank which spoke with 890 IT workers.

The US survey comes in the week that 75% of attendees at the London CSO Exchange conference in London reported that the risks posed by insiders within their organisation where greater than the risks from outsiders.
Nine percent of those present had not even yet considered data loss as a specific issue.

More than half of the respondents in the US survey said they had personally copied confidential company information into USB memory sticks, though more than 87% admitted that company policy forbids them from doing so.

In addition, 57% believe others in their organisation routinely use memory sticks to store and transport sensitive or confidential company data. Among the reasons cited for non-compliance were lack of policy enforcement and convenience.

Almost half said they routinely share passwords with colleagues, even though a two-thirds majority of the respondents said their company's security policies prohibit them from doing so.

In some cases, the violations appear to happen because employees are unsure about company policy. For instance, 33% of survey respondents said they sent workplace documents home as e-mail attachments. Nearly half the sample didn't know whether that practice constitutes a breach of policy.

In the same vein, eight out of 10 of the IT professionals in the survey said they were unsure whether turning off network firewalls is a policy breach - which may explain why 17% admitted to having done so.

Sometimes, however, insider security breaches result from a lack of clear corporate guidelines.

For instance, despite widespread concerns about data leaks resulting from insider abuse or negligence, 60% of respondents said their companies have no stated policy forbidding the installation of personal software on company computers.

Nearly half admitted to downloading such software including peer-to-peer (P2P) file sharing tools on company hardware. More than seven in 10 said they did not immediately report lost or missing devices containing company data.

"The reason why these thing are happening [is] because compliance is not enforced," Ponemon said. While more IT managers may realize the need for company-wide security policies, "people are just not paying attention to enforcement. There is no auditing" for compliance.