Ever feel like there's one person in the office who treats the employee handbook like a set of optional suggestions? We've all met a "Susan." She's the high performer, the veteran who knows where all the bodies are buried, or the executive who thinks the rules are for the people who don't have a quota to hit Surprisingly effective..
But here's the problem: when Susan regularly violates her organization's security policies, she isn't just being a "maverick." She's creating a massive, gaping hole in the company's armor. And the worst part? Most of the time, the people around her just let it happen because she's too valuable to offend But it adds up..
That's a dangerous game. One "quick shortcut" can lead to a data breach that costs millions.
What Is a Security Policy Violation
Look, a security policy isn't just a document written by a bored IT manager to make everyone's life difficult. So naturally, it's a set of boundaries designed to keep the company's data, money, and reputation safe. When we talk about someone violating these policies, we're talking about any action—intentional or accidental—that breaks those boundaries.
The official docs gloss over this. That's a mistake.
The "Convenience" Breach
Most of the time, people like Susan aren't trying to sabotage the company. They're just trying to get their work done faster. This is the "convenience" breach. It's the person who uses their personal Dropbox because the company's approved file-sharing tool is "too clunky." Or the manager who emails a password to a subordinate because it's faster than setting up a proper credential manager.
The "Exception" Mindset
Then there's the mindset of the exception. This is when someone believes their role or their seniority exempts them from the rules. They think, "I've been here for ten years; I know how to handle this," while they leave their laptop unlocked and walk away to grab a coffee. It's a blind spot born from overconfidence Still holds up..
The Malicious Actor (The Rare Case)
While less common, some violations are intentional. This is where someone intentionally bypasses a firewall or exfiltrates data. But in the case of a "Susan," it's usually not malice—it's just a complete disregard for the risk That's the whole idea..
Why It Matters / Why People Care
Why does this matter? Because hackers don't attack the strongest part of your defense; they attack the weakest. If your firewall is a steel wall but Susan is leaving the back door propped open with a brick, the wall doesn't matter.
When a high-profile employee ignores security protocols, it creates a cultural rot. If the junior staff sees that the top performer gets away with using an unencrypted USB drive, they'll start doing it too. Suddenly, your entire security posture isn't based on your policy—it's based on the worst habits of your most influential employees Most people skip this — try not to..
Real talk: a single violation can lead to a ransomware attack that freezes every computer in the building. Consider this: it can lead to a GDPR fine that wipes out a quarter's profits. Even so, or, it can lead to a loss of client trust that takes a decade to rebuild. When Susan ignores the rules, she's not just risking her own job; she's risking everyone's Simple as that..
Easier said than done, but still worth knowing And that's really what it comes down to..
How to Handle Persistent Policy Violations
Dealing with someone who thinks they're above the rules is a delicate dance. That's why you can't just scream "security! " and hope they stop. You have to address the behavior, the motivation, and the culture.
Step 1: Document the Patterns
You can't manage what you can't prove. If you're the IT or security lead, you need a paper trail. Don't just say "Susan always does this." Instead, document the specific instances.
- Date: October 12th.
- Incident: Susan shared her admin credentials with a contractor via Slack.
- Risk: Unauthorized access to the production environment.
If you're have a list of patterns, the conversation shifts from "I think you're being careless" to "Here are five times in the last month where the company was put at risk." It's much harder to argue with data Worth keeping that in mind..
Step 2: Understand the "Why"
Here is where most companies fail. They focus on the what (the violation) and ignore the why. If Susan is bypassing a security check, it's often because that check is genuinely slowing her down.
If the approved process takes ten clicks and her "shortcut" takes one, the process is the problem. If you want Susan to follow the rules, the rules have to be usable. Which means if security is a friction point, people will find a way around it. Your job is to find a way to make the secure path the easiest path Nothing fancy..
Step 3: The Direct Conversation
Once you have the data and understand the friction, you have to have the talk. This isn't a lecture; it's a risk assessment. Instead of telling her she's "breaking the rules," explain the consequences It's one of those things that adds up..
Don't say: "You can't use personal email for work." Do say: "When you use personal email, our data is outside our control. Because of that, if your account is hacked, our client's private data is gone, and we have no way to wipe it or recover it. That's a liability we can't afford Worth keeping that in mind..
The official docs gloss over this. That's a mistake.
Step 4: Escalation and Accountability
If the behavior continues after the conversation, it's no longer a training issue; it's a performance issue. This is where HR comes in. Security policies should be tied to performance reviews. If "hitting the numbers" is the only thing that matters, Susan will keep breaking rules to hit those numbers. Accountability means that security compliance is a key performance indicator (KPI) for everyone, regardless of their rank.
Common Mistakes / What Most People Get Wrong
The biggest mistake companies make is treating security as a technical problem rather than a human problem. They buy a more expensive firewall or implement a stricter password policy, thinking that will fix the "Susan" problem. It won't.
Another common error is the "VIP Treatment." This is when the C-suite or high-earners are given a pass. Because of that, when the CEO ignores the MFA (multi-factor authentication) prompts, the rest of the company notices. It signals that security is a chore for the "little people," not a core value of the organization Surprisingly effective..
Lastly, many organizations rely too heavily on annual training. A 30-minute slideshow once a year doesn't change behavior. It just checks a box for the auditors. Real security happens in the daily habits, not in a mandatory video from 2021.
Practical Tips / What Actually Works
If you're trying to stop the cycle of violations, stop playing "whack-a-mole" and start building a security culture. Here's what actually works in practice.
Implement "Guardrails," Not "Gates"
A gate stops people and makes them wait. A guardrail keeps them on the road while they're moving fast. Instead of banning a tool, find a secure version of that tool. If people are using personal cloud storage, give them a corporate version that is just as easy to use but is managed by IT.
Use Positive Reinforcement
Stop only talking to people when they mess up. When a department hits a milestone of zero security incidents, acknowledge it. Make security a point of pride rather than a point of fear Turns out it matters..
The "Shadow IT" Audit
Run a discovery scan to see what apps are actually being used in your organization. You'll likely find a dozen "shadow IT" tools that people are using because the official tools suck. Instead of banning them, vet them. If a tool is actually better, adopt it officially.
Peer-to-Peer Accountability
The most powerful force in an office is peer pressure. When the "Sustans" of the world are called out by their peers—not just by the "IT police"—they tend to change their behavior faster. Create a culture where it's okay for a colleague to say, "Hey, you shouldn't leave your screen unlocked," without it feeling like a betrayal Less friction, more output..
FAQ
What do I do if my boss is the one violating the policy?
This is the hardest scenario. Your best bet is to frame the risk in terms of the boss's own interests. Instead of "you're breaking the rule," try "I'm worried that if this leaked, it would reflect poorly on your leadership." Make it about protecting their reputation Took long enough..
Should every violation be reported to HR?
Not necessarily. For first-time, low-risk mistakes, a quick "hey, don't do that" is enough. But if there's a pattern of intentional bypasses, you have to document it. If you don't, and a breach happens, the person who knew about the violation and stayed silent is often the one who gets blamed.
How do you handle a "high-performer" who refuses to comply?
You have to realize that their "high performance" is an illusion if they are creating an existential risk for the company. A salesperson who brings in $1M but opens the company up to a $10M lawsuit isn't actually a high performer. The leadership needs to understand that risk is a cost It's one of those things that adds up..
Is "security awareness training" a waste of time?
Most of it is. The boring, generic stuff is useless. What works are simulations—like fake phishing emails—and short, punchy updates that explain why a change is happening. People follow rules when they understand the "why."
At the end of the day, security isn't about the software you buy; it's about the people using it. You can have the most expensive security stack in the world, but it's all useless if your team is treating the rules as optional. The goal isn't to turn everyone into a cybersecurity expert—it's to make sure that the "Sustans" of the world realize that their shortcuts are actually dead ends.
