Companies are finally realising that in order to improve on information security, they need to change the behaviour of their employees.
That’s among key findings of a survey by a consortium, led by PricewaterhouseCoopers, on behalf of BERR (Department for Business, Enterprise & Regulatory Reform).
Its 2008 Information Security Breaches Survey (ISBS) shows that companies are increasingly expecting staff to use IT to improve effectiveness. 54% now allow them remote access to systems (up from 36% in 2006); while the proportion of businesses restricting Internet access has nearly halved (from 42% to 24%).
However, the study also shows that staff are increasingly being targeted by cyber attacks, and that businesses are becoming more concerned about what is said about them on social networking sites, such as MySpace and Facebook.
Chris Potter, partner at PricewaterhouseCoopers, who led the study, observes that companies are now hardening technical controls – implementing strong, multi-factor authentication (nearly doubled since 2006). However, he says, that’s not enough.
Says Potter, ”Having a security policy alone does not magically improve security awareness among staff. The priority given by senior management makes a difference in the extent to which security awareness is drilled into all areas of the organisation.”
For him, key to making sure that staff remain the organisation’s greatest asset is to ensure they behave in a security-conscious way. And to an extent, that is happening. Increasingly, he says, companies are focused on setting clear policies, making staff aware of the policies and then monitoring behaviour.
The proportion of companies that have an information security policy has quadrupled over the last eight years. Large businesses remain more likely to have a security policy – with seven out of eight doing so, while some of the 12% that do not have a security policy, do have an integrated overall set of business policies that includes information security.
“What companies are realising is that increasing security awareness is only part of the answer,” says Potter. “The critical issue is changing the behaviour of their people. A ‘click mentality’ has grown up – users do what expedites their activity, rather than what they know they ought to. Only when behaviour changes do businesses realise the benefits of a security-aware culture.”
Some 68% of companies surveyed that give a high or very high priority to security have a security policy (up from 55% in 2006), compared with 64% of those that treat security as low or no priority (up massively from 13% in 2006).
14% of small businesses and 53% of large companies now use strong authentication for some of their systems. Two-thirds of companies that allow staff to access their systems remotely require additional authentication. Also, 81% of large companies block access to inappropriate websites, while 86% log and monitor staff access to the Internet.
Full results of the survey will be published at Infosecurity Europe in London, 22-24 April www.infosec.co.uk