A recent survey asked employees why they didn't follow the rules and much of the response sounded a bit like a child answering their parent. They might have been bored or there were too many rules to deal with.
The rule breakers were called out in violating company policies. Other responses included:
- "Sharing of information that clients need to know but we may or may not have been given permission but is needed information for clients to have for testing success"
- "They are borderline infractions."
- "Unhappy with job, company."
- "Sometimes it is necessary to bend the rules a bit."
- "So many policies I don't know them until I break them."
- "I'm bored and I want to get on the internet and play games."
- "We can not possibly know when a client is going to need certain information for testing success and often times it is spur of the moment so although the management team has not given permission, we have to make on the spot decisions with the hope we do not give too much information."
Softwareadvice surveyed 110 employees across a variety of industries to better understand the (in many cases) daily violations of company policy they commit. One in five employees admitted to daily or weekly policy infractions. Out of the top industries in the survey, employee compliance violations are most common in banking/finance, and least common in manufacturing.
Daniel Harris, market research analyst for Software Advice cited the following examples of the rule breakers:
- Employees open phishing emails because they don't get the proper training on how to distinguish them from normal emails. Compliance management programs include LMS modules that can get employees up to speed on this point.
- Employees tend to store data where it's easiest to store data unless they get specific training or unless workflows are designed to ensure that they store data in the right places.
- Employees use company resources for personal use because they're bored.
- Phone dial-ins are easier than joining virtually in some instances. Telecom expense management policies are also arcane and complex to understand.
- People get sloppy with data
- People don't like paying for copyrighted work if they can avoid it, as witnessed by the success of file-sharing, torrenting, streaming, key-gens etc.
- Again, people get sloppy, and network policies are tough for non-IT personnel to understand.
He said compliance processes for preventive action, accident reporting can be tracked in a variety of tediously manual ways, particularly at smaller organisations. GRC platforms that offer workflow modules, templates and governance features can streamline such inefficient, paper-based processes.
"When we add in the 16 percent of the sample that have issues with the complexity of applicable regulations, we can see that overall, the diversity and complexity of compliance requirements creates the potential for violations for over half of our respondents," Harris said.
Sign up for CIO Asia eNewsletters.