Security flouted to 'get the job done'
Companies are leaving themselves vulnerable to employees’ ‘purposeful flouting’ of the rules when it comes to information security, claims a survey by certification company (ISC)2.
The survey revealed that organisations are becoming confident in their ability to comply with the policies and procedures set out to secure their organisations. Analysis of the results, however, revealed education efforts to be immature, with most concerns relating to accountability and company-wide understanding of what is required.
The survey questioned 737 information security professionals in March (2009) about their organisation’s efforts in policy and awareness management. The majority – 80 per cent – said their company’s ability to comply with security policy was ‘satisfactory’, ‘good’ or ‘very good’, leaving only 20 per cent saying they were ‘dissatisfied’. However, this confident stance was tempered by concerns from nearly half of the respondents over a lack of training (48 per cent); poor employee understanding of policy (46 per cent); a lack of defined accountability (42 per cent); and an unsupportive company culture (48 per cent).
These obstacles to compliance with policy were cited by significantly more respondents than other issues of traditional concern, including a lack of budget, which only 22 per cent were concerned about, and the ability to procure the latest technology, which concerned only 19 per cent of respondents.
“The challenges are shifting from the systems to the people,” says John Colley, (ISC)2’s managing director EMEA. “Security requirements are not yet well understood – or, worse, flouted – often with management support, in order to get a job done.”
When asked whether their organisations tracked security policy, some 63 per cent of respondents replied in the affirmative, and 60 per cent identified that there were sanctions for non-compliance, while only two per cent felt that those sanctions were understood company-wide. The survey also queried efforts to educate employees about policies and expectations.
The bulk of the efforts to educate employees formally were said to be online, with 56 per cent of respondents identifying this method, while 35 per cent are using an employee newsletter, and 35 per cent said expectations were written into employee contracts. Only a quarter reported in-person training programs.