Increased data security controls must now clamp down on staff habits - BERR
The high priority given to company information security does not necessarily translate into improved security awareness among employees, warns the 2008 Information Security Breaches Survey: to tighten-up further on information security, companies have to change their people's behaviour.
The high priority given to company information security does not necessarily translate into improved security awareness among employees, warns the 2008 Information Security Breaches Survey (ISBS) carried out by a consortium, led by PricewaterhouseCoopers LLP, on behalf of the Department for Business, Enterprise and Regulatory Reform (BERR).
Increasingly, companies are realising that to tighten up further on information security, they have to change their people's behaviour.
The ISBS survey shows that companies are 'placing greater trust in their staff', and want them to use technology to improve their effectiveness. For example, 54 per cent of UK companies now allow staff to access their systems remotely (up from 36 per cent in 2006); every very large business gives remote access to at least some staff. The proportion of businesses restricting Internet access to some staff only has nearly halved (from 42 per cent to 24 per cent), and only 9 per cent give no staff access to the Internet.
Staff are increasingly targeted by social engineering attacks (where malicious outsiders try to obtain confidential information from employees); and businesses are becoming increasingly concerned about what is being said about them on social networking sites, and staff have posted confidential information on these sites.
Against this, companies are hardening their technical controls:
- Use of strong (multi-factor) authentication has nearly doubled since 2006: 14 per cent of small businesses and 53 per cent of large companies now use strong authentication for some of their systems.
- Two-thirds of companies that allow staff to access their systems remotely require additional authentication over that access. Virtual Private Network (VPN) use is almost universal among very large businesses for remote access.
- 81 per cent of large companies block access to inappropriate websites; 86 per cent log and monitor staff access to the Internet.
Increasingly, companies are focused on setting clear policies, making staff aware of the policies and then monitoring behaviour to ensure that it is in line with those policies. The proportion of companies that have an information security policy has quadrupled over the last eight years. Large businesses remain more likely to have a security policy; seven out of eight do so, and some of the 12 per cent that do not have a security policy per se have an integrated overall set of business policies that include information security.
The full results of the survey will be launched at Infosecurity Europe in London, 22-24 April (2008). www.infosec.co.uk
Image: Companies are realising that to tighten up further on information security, they have to change their people's behaviour
What do you think about the issues raised in this news story? Share your views at the IT discussion forum.
More IT industry news from the IET