Here are the biggest three reasons folks flout tech-security policies:

1. They don’t know the rules. No doubt your IT people have a security in place and have publicized it. But many policies have their fair share of gray areas, and that’s where you can get in trouble. For example, a worker has a large file to transmit, and your company e-mail keeps getting hung up because of the size of the file. G-Mail’s forbidden by your company policy, but if that’s the only way to get the file to the customer, is it OK? That needs to be clarified.
2. They know the rules, but no one’s enforcing them. If employees know there are no consequences for bending or even breaking the rules, there’s little motivation to play by them. Yes, your IT policy should have some teeth. But you want people to understand that if they access work files from a public computer, say, at a conference, they’re putting your financial data at risk.
3. The rules get in the way of productivity. Weren’t computers supposed to make folks more productive? But when IT blocks downloading or distribution via e-mail, you can bet employees will find a way to work around that. Bottom line: Be sure people have the tools they need to do their jobs — securely.

Source: “3 Reasons Why employees Don’t Follow Security Rules,” by Joan Goodchild. (www.csoonline.com)

We needed a new password policy to make us less vulnerable.

But users felt that we were just creating a policy that would make their lives more difficult.

Buy-in was what we needed. Otherwise the policy would flop.

We began a user-education campaign with e-mails, memos and meetings. The big thing was users understanding how crucial it is to business not to create security risks.

We provided suggestions on how to come up with new passwords every 90 days, including techniques for remembering them, such as numeronics and phrases.

We stressed the importance of not creating cheat sheets under keyboards or on monitors, and they groaned.

But we acknowledged their pain and let them know this applied to everyone – from IT up to our CEO – and nobody would be exempt.

The prep work really paid off because users change their passwords routinely without calling the help desk.

Now users are a part of a security process that goes beyond firewalls and user access.
(Ann Dunn, IT director, Planned Parenthood of Northern New England, Williston, NY)