Let me illustrate one of the main reasons why people ignore your security policies through a short story1.
A business owner invites one of his subordinates, a VP of Sales called Bob, for a meeting, and says:
Look Bob, we just completed a 3 year audit, and I discovered that you’ve been stealing this company for all this time. All the vendor invoices were inflated to much more of what they should be. Clearly you’re getting kickbacks left and right.
I also found out, Bob, that you’re selling our leads to our competitor, for cash!
On top of that Bob, we’ve done a mystery shopping - you’re supposed to be supervising the sales people answering the phones. Nobody uses the damn script!
On top of that Bob, I’ve discovered that every time I’m out of town, you don’t come in until noon, and you leave at 3 PM!
On top of that BOB, I found out 2 weeks ago, you’re sleeping with my wife!
I am telling you right now BOB, ONE MORE THING - and you’re OUT OF HERE!
The story is exaggerated to make a point. But the point is there. This is how 99% of the companies I’ve had the chance to work with, treat security policies.
I’ve seen people violating various internal policies: acceptable use, privacy, secure software development, passwords, patch/vulnerability management, etc. Nobody ever gets fired for violating security policies.
Even if these policies contain “non-compliance” sections, stating that violation of policies can lead to various consequences, including the contract termination. It doesn’t matter.
As mentioned in our whitepaper on Security Culture as a Strategy, in any organization, people don’t believe in what they read or hear, they believe in what they see. That’s one of the main unspoken rules in any organization.
In most companies, people see that other people are ignoring security, violating security policies, and getting away with it without any consequences.
When people ignore security policies, the security of the entire company gets continuously worse, day by day.
“How did you go bankrupt?" Two ways. Gradually, then suddenly.” ― Ernest Hemingway, The Sun Also Rises
That’s exactly how most companies get compromised.
Gradually at first, then suddenly.
To get updates about our new blog posts and other publications, sign up below.