Companies At Risk From Staff Ignorance

February 2004

IT security professionals have identified lack of awareness among employees and managers as the biggest obstacle to good information security in their organisations.

A survey of IT security professionals in 200 organisations by Computer Weekly and the National Computing Centre showed that poor security awareness outranked shortage of money and resources as the biggest concern.

The survey, conducted in September and October last year, among members of Computer Weekly's Info Security User Group and NCC members, suggested that many organisations were not spending their security budgets effectively. It found too many organisations were focusing on technical solutions rather than taking a business-wide approach.

Organisations in every sector of the economy, including finance, manufacturing, education, health, utilities and IT services, took part in the survey. The firms ranged in size from less than 100 employees to more than 5,000.

The research showed that the problem is not the lack of a formal, written security policy - 80% of organisations did have a formal policy and, in most cases, they were signed off by senior managers. The problem was that these policies were not effectively communicated to staff.

Most firms took basic steps to inform their employees about the importance of information security. Security policies were placed on the intranet by 70% of respondents and 45% handed policies to staff. Another 50% gave their staff training on security threats.

But once these one-off activities have been completed, there is little emphasis on maintaining security awareness. Less than 25% regularly gave out information on new security risks or ran an ongoing information security awareness campaign. Only 41% of respondents were satisfied that their information security policies were properly enforced.

As a result, less than 15% of organisations rated the security awareness of their employees as either high or very high, and only 40% were happy with the information security awareness of their top managers.

One of the biggest areas of concern was the poor enforcement of security policies when staff left the company. Organisations did not take steps to close down web and internet access, or to prevent theft of information. Fewer than 50% of the security professionals surveyed felt their organisations were doing enough.

Part of the problem was the lack of resources. The research showed that 45% of the organisations did not have a dedicated person responsible for security. Only 33% of the organisations had a specific security budget.

Spending on information security ranged from between 1% and 5% of IT budgets - less than the 3% to 5% recommended by Ernst & Young's security practice. Smaller firms spent proportionately more - between 6% and 10%.

But whether this money is well spent is another question. The research showed that, whatever their budget, organisations are not prioritising their spending. Less than 50% carried out a formal risk analysis, and less than 25% carried out a cost benefit analysis on their security projects. Only 25% had a formal register of their information security assets, and just 20% attempted to classify the importance of types of information.

Source...

 

With Dionach you get:

• An efficient, friendly and flexible service
• To talk directly to the experts
• Straightforward assessment reports that get to the point
• Complete confidentiality and utmost discretion