27 March 2008

Employee behaviour key to improving information security, new survey finds

Companies are finally realising that in order to improve on information security, they need to change the behaviour of their employees.



That’s among key findings of a survey by a consortium, led by PricewaterhouseCoopers, on behalf of BERR (Department for Business, Enterprise & Regulatory Reform).

Its 2008 Information Security Breaches Survey (ISBS) shows that companies are increasingly expecting staff to use IT to improve effectiveness. 54% now allow them remote access to systems (up from 36% in 2006); while the proportion of businesses restricting Internet access has nearly halved (from 42% to 24%).

However, the study also shows that staff are increasingly being targeted by cyber attacks, and that businesses are becoming more concerned about what is said about them on social networking sites, such as MySpace and Facebook.

Chris Potter, partner at PricewaterhouseCoopers, who led the study, observes that companies are now hardening technical controls – implementing strong, multi-factor authentication (nearly doubled since 2006). However, he says, that’s not enough.

Says Potter, ”Having a security policy alone does not magically improve security awareness among staff. The priority given by senior management makes a difference in the extent to which security awareness is drilled into all areas of the organisation.”

For him, key to making sure that staff remain the organisation’s greatest asset is to ensure they behave in a security-conscious way. And to an extent, that is happening. Increasingly, he says, companies are focused on setting clear policies, making staff aware of the policies and then monitoring behaviour.

The proportion of companies that have an information security policy has quadrupled over the last eight years. Large businesses remain more likely to have a security policy – with seven out of eight doing so, while some of the 12% that do not have a security policy, do have an integrated overall set of business policies that includes information security.

“What companies are realising is that increasing security awareness is only part of the answer,” says Potter. “The critical issue is changing the behaviour of their people. A ‘click mentality’ has grown up – users do what expedites their activity, rather than what they know they ought to. Only when behaviour changes do businesses realise the benefits of a security-aware culture.”

Some 68% of companies surveyed that give a high or very high priority to security have a security policy (up from 55% in 2006), compared with 64% of those that treat security as low or no priority (up massively from 13% in 2006).

14% of small businesses and 53% of large companies now use strong authentication for some of their systems. Two-thirds of companies that allow staff to access their systems remotely require additional authentication. Also, 81% of large companies block access to inappropriate websites, while 86% log and monitor staff access to the Internet.

Full results of the survey will be published at Infosecurity Europe in London, 22-24 April www.infosec.co.uk

Brian Tinham

Supporting Information

Websites
http://www.infosec.co.uk/

Companies
PricewaterhouseCoopers

This material is protected by Findlay Media copyright
See Terms and Conditions.
One-off usage is permitted but bulk copying is not.
For multiple copies contact the sales team.

Do you have any comments about this article?

Add your comments

Name

 
Email

 
Comments
 

Your comments/feedback may be edited prior to publishing. Not all entries will be published.
Please view our Terms and Conditions before leaving a comment.

Related Articles

Manufacturing view of security

The British Security Industry Association (BSIA), the trade body representing ...

Safety performance tool

Rockwell Automation has launched the Safety Maturity Index (SMI) tool, a ...

ODVA machinery SIG

Open, interoperable automation technologies pressure group ODVA is forming a ...

Getting IT right

Back to basics, but with your eyes wide open is a good starting point for any ...

Dodging the puppy syndrome

With the pressure on to cut costs, yet improve business and system agility, ...

Network practice

There’s much more to securing and provisioning your business and plant networks ...

Related Articles

Bakehouse: Delicious and determined

Bakehouse have gone from start-up to market leaders in 15 years. They are now ...

Sevcon

Customers and Shareholders Benefit as Global Manufacturer Deploys Management ...

Six Steps for: Discrete Manufacturers

Columbus IT has worked with many Discrete Manufacturing organisations enabling ...