Users should be 'more responsible for data security'
Organisations need to empower employees to take more personal responsibility for protecting critical and confidential information, a report from the Information Security Forum (ISF) has proposed.
‘Protecting Information in the End-user Environment’ draws on the views and experiences of some 300 leading companies and public sector bodies – to identify the areas of greatest risk, and to present practical recommendations.
Most organisations have many different end-user environments, often across physical locations, and comprising individuals who use a wide-range of technologies to handle information, the ISF says, and these disparate environments are subject to factors such as diverse cultures and different operating conditions that make managing information security very difficult.
“Greater business and personal use of computing and communications and in particular, social networking websites are creating a major headache for information security professionals,” says ISF senior research consultant Mark Chaplin. “It is all too easy for end users to share confidential information with unauthorised individuals, or to corrupt critical information needed to support key business processes.”
Organisations need to recognise that the information security function “cannot provide all the protection necessary without a complete lock down”, explains Chaplin. Instead, much of the responsibility lies with end-users “where more focus needs to be placed on education and awareness to create a culture where employees are empowered to protect corporate information”.
Chaplin adds: “It is not unusual for management, including senior executives, to be unaware of the value of information that employees have access to and use; the threats this information is exposed to when not adequately protected; and the potential business impact if this information is compromised in the end user environment.”