As part
of a
business,
you
probably
understand
how
important
it is to
keep
your
information
secure;
yet all
too many
businesses
suffer
from
security
breaches.
A new
survey
by
PricewaterhouseCoopers
LLP for
the
Department
of
Business
Enterprise
and
Regulatory
Reform
has
found
that
changing
employee
behaviour
can
provide
a big
step
towards
keeping
your
information
secure.
UK companies have become increasingly aware of the need to have
information security policies in place, with
seven out of eight large businesses now
claiming to have one. However, the high
priority given to information security by
companies does not necessarily translate
into improved security awareness among
employees. Increasingly, companies are
realising that to tighten up further on
information security, they have to change
their people’s behaviour.
Although this survey focused on large
businesses the problems are similar if not
more important to small businesses with
smaller security and technology budgets.
The survey shows that companies are placing greater trust in their
staff and they want their staff to use
technology to improve their effectiveness.
For example, 54% of UK companies now allow
staff to access their systems remotely (up
from 36% in 2006); every very large business
gives remote access to at least some staff.
The proportion of businesses restricting
Internet access to some staff only has
nearly halved (from 42% to 24%), and only 9%
give no staff access to the Internet.
At the same time, the survey shows that staff are increasingly
targeted by social engineering attacks
(where outsiders try to obtain confidential
information from employees). In addition,
businesses are becoming increasingly
concerned about what is being said about
them on social networking sites (such as
MySpace, Facebook and Bebo), and some staff
have posted confidential information on
these sites.
However, technology controls alone are not enough. Key to making
sure that staff remain the organisation's
greatest asset is to ensure they behave in a
security-conscious way. Increasingly,
companies are focused on setting clear
policies, making staff aware of the policies
and then monitoring behaviour to ensure that
it is in line with those policies. The
proportion of companies that have an
information security policy has quadrupled
over the last eight years. Large businesses
remain more likely to have a security
policy; seven out of eight do so, and some
of the 12% that do not have a security
policy per se have an integrated overall set
of business policies that include
information security.
Chris Potter, partner, PricewaterhouseCoopers LLP, who led the
survey commented:
”Of course, having a security policy alone does not magically
improve security awareness among staff. The
overwhelming majority of companies take
steps to raise awareness. The priority given
by senior management makes a difference in
the extent to which security awareness is
drilled into all areas of the organisation.
Only one in five companies for whom security
is not a priority at all takes any steps to
raise the security awareness of their staff.
“What companies are realising is that increasing security awareness
is only part of the answer. The critical
issue is changing the behaviour of their
people. A ‘click mentality’ has grown up -
users do what expedites their activity
rather than what they know they ought to. It
is a bit like the road speed limit –
everyone knows what they ought to do, but
only a few actually do it. Only when
behaviour changes do businesses realise the
benefits of a security-aware culture.”
For more information on email and technology
issues visit our IT section here.
For more information on employment matters
visit our You and Work (Employment)
section here.
