Minor Policy Violations Can Cause Major Breaches

Can minor usage policy infractions serve as predictors of larger problems? Evidently so, according to a recent Verizon data breach analysis report.Verizon's recently released annual Data Breach Investigations Report holds plenty of scary and alarm-worthy insights into the current nature of of data breaches, their causes and the often basic procedures needed to mitigate or prevent them.

Among the remedies were plenty of the usual suspects:sloppy security practices, failure to maintain and mine logs foe evidence of breaches, increasingly organized and commercialized cyberciminal networks and so on.

What most caught my eye, though, was comment regarding the dangers of allowing "minor" policy violations -- and what can happen when you do so.

While the report is careful not to label all employees who commit "minor" infractions -- illicit software on company machines, inappropriate content or surfing -- as potential criminals, the potential is made pointedly clear:

"Inappropriate actions include policy violations and other questionable behavior that, while not overtly malicious, can still result in harm to information assets. Not only can inappropriate behavior contribute directly to a breach, but it may also be an ill omen of what's to come. Over time investigators have noticed that employees who commit data theft were often cited in the past for other "minor" forms of misuse (or evidence of it was found and brought to light during the investigation)."

That's clear enough -- and essentially falls into the "Ya think?" category.

The question is: If an employee has been "often cited" for violating your company's usage policies --

Why is the employee still with your company?

Usage policies exist -- if they do -- for a reason: To establish and enforce the sorts of habits, practices and behaviors that you deem a) most essential for safeguarding your business's digital assets and b) set standards for acceptable behavior with your equipment and connections, and make also clear what content you consider inappropriate and unacceptable.

If you don't have a formal usage policy, you're already sending an an "anything goes" message.

If your policy doesn't include enforced consequences including termination for serious infractions, and the same for repeated "minor" violations, you're sending the same message.

People slip up, mistakes are made -- and an effective policy includes some slack for good employees.

But frequent violators are a risk-factor you can't afford to tolerate -- with the added advantage that enforcing your policy firmly effectively reinforces it as well.