60% of Employees Work Around Security Controls. Here’s What That Really Means.

The Stat That Should Stop You in Your Tracks

A recent report by Forrester revealed that 60% of employees admit to intentionally working around security controls. That’s not a rounding error. That’s a systemic issue—one that impacts nearly every organization, across sectors, geographies, and maturity levels.

And no, this isn’t a story of carelessness or rebellion. It's a story of friction, fatigue, and misalignment.

What It Looks Like in the Real World

Just in the past year:

• SlackGPT bots and AI plugins have led to unmonitored data movement across shadow integrations.

• Staff at a Fortune 500 law firm bypassed DLP tools to email sensitive contracts using personal accounts due to slow file transfer protocols.

• A major U.S. hospital saw ransomware gain initial access through a workaround—an admin used a personal tablet to connect to a legacy portal while traveling.

The controls were there. The culture—and the context—were not.

Why People Work Around Controls

It’s easy to assume these behaviors stem from ignorance or apathy. But the data tells a different story. According to research from Gartner, the top reasons people bypass security include:

• Tools that slow them down or interfere with work

• Lack of context or awareness about the risk

• Conflicting incentives (hit targets vs. follow rules)

• Low trust in IT or security to understand business needs

• Poor usability or outdated technology

Translation? These are problems with design, process, and culture—not people.

This Isn’t a User Problem. It’s a System Problem.

When 6 in 10 employees are skirting controls, it’s time to stop looking at individuals—and start looking at the environment.

Security controls that are difficult, disruptive, or confusing will eventually be bypassed, ignored, or “worked around.” That’s not defiance. That’s human nature.

You can’t fix this with stricter rules or longer training. You fix it by addressing the root causes:

• Are your policies aligned with how people actually work?

• Do your tools support the pace and pressure of real business life?

• Is your culture one where risk is understood, respected, and shared?

The Human Cost of Misalignment

When employees are forced to choose between doing their job efficiently or following a protocol that hinders them, they’ll make the rational (not reckless) choice.

But over time, this creates:

• Invisible vulnerabilities that no tool can detect

• Cultural fatigue where security is seen as the enemy

• Erosion of trust between teams and leadership

• Increased shadow IT and unmonitored data movement

And that’s how small workarounds lead to massive breaches.

What You Should Be Doing Instead

✅ Map the friction. Interview employees, observe workflows, identify the chokepoints where security clashes with productivity.

✅ Design with humans in mind. Integrate behavioral insights into policy and tooling decisions. If your users hate the solution, it isn’t the solution.

✅ Build trust. Collaborate with departments early when rolling out new tools or controls. Transparency beats enforcement.

✅ Reinforce the “why.” Training isn’t just what to do—it’s why it matters, who it protects, and what’s at stake.

✅ Get feedback loops in place. Encourage employees to share where controls are causing issues, and make changes visible.

Final Thought: This Is the Moment to Rethink Risk

With AI accelerating everything—data flow, attack vectors, employee behavior—the gap between your controls and your culture is your next breach waiting to happen.

Human Risk Management isn’t about fixing people. It’s about designing systems that people can thrive in—without breaking the rules to do their jobs.

If you want to understand your real human risk landscape, we can help you map it, remediate it, and build a culture that doesn’t just follow rules—but lives them.