Companies fall short in information security training

While three-quarters of employees surveyed felt that they understood their information security policy, 63% believed that data breaches were caused by employee ignorance.

For its Security Awareness Report, Clearswift interviewed 2000 people from the US, the UK, Germany, Australia, and the Netherlands. Most employees surveyed had been with their firms at least five years.

“There was a mismatch between people’s perception of understanding policies and actually what was happening in real terms….This is somewhat shocking given the speed at which the internet world is evolving”, said Andrew Wyatt, chief operating officer of Clearswift.

In an interview with Infosecurity, Wyatt said that information security is still seen as the domain of the IT and HR departments.

“The IT department doesn’t necessarily know who in the marketing department needs to be able to access Facebook or some of these other social networking sites and never will because the roles of the marketing department will continue to change. Educating employees about IT policies today is often the purview of the HR department when somebody joins the company. They might get handed a policy if they are lucky and talked to about the policy for 10 minutes and that’s it. Job done. So the education piece needs to move out of the HR world and IT world and have stronger high-level support”, Wyatt said.

According to the survey, one in four employees felt that their company could be better at communicating guidelines for use of social media; 17% of respondents agreed that information security policies were “more about apportioning blame than protecting data”.

While 50% of employees had discussed internet use policy with colleagues in the past 12 months, only 14% had raised a question about whether something done online is permitted under the company’s policy.

Monitoring of internet use at work was an area of confusion for employees: 21% said that their employer’s electronic monitoring is the single most confusing aspect of using the internet at work. Over one in five office workers did not know if their internet use was being monitored. Of those (57%) who knew that their internet use at work was monitored, 38% felt that their employer accessed information about personal internet use more than was necessary to maintain security, the survey found.

Wyatt stressed that information security policy that is based on “stop and block” – not allowing workers to use social networking sites at work – will not work “in this new social media world."

“There needs to be much more focus on educating people about the use of these technologies and the security risks associated with them. Rather than hiding IT security infrastructure in the cupboard, as it were, it needs to be brought out in the open. So if you are going to click on a website which your company would prefer you don’t go see, then maybe a warning pops up on the screen which allows you to continue through but makes it clear that your action is being noted.”

The more “progressive” companies are taking a “trust but verify” approach to information security, he noted. Companies are “trusting the employees to do the right thing, but making sure there is reporting, and analysis is going on in the background so that line of business managers can actually check up and ensure that appropriate use is being made.”

Wyatt said that information security policies need to be reviewed in terms of new technologies. Current policies “tend to be about what you can and can’t do, rather than how you engage in the social media world. A lot of the policies have been left behind by the fact that technology has moved on….A more holistic information security policy is needed….The key is education and training.”

What’s Hot on Infosecurity Magazine?