The survey involved more than 300 Irish IT administration and management staff and was undertaken in advance of the fourth annual ICS Data Protection conference on 9 February 2012. More than one-third of respondents believe that their companies place too low an emphasis on data protection, while more than one-quarter consider that the greatest threat is from negligent employees. One-third don’t even know if their companies have a formal data protection policy.
SecurEnvoy believes that one of the main causes of this problem is that the human element is often overlooked in security. Staff seek to do their job as efficiently as possible without realizing that this sometimes compromises security. “But how do you motivate members of staff – who often have other issues to worry about – to use technology to reduce the risk of the company’s data going walkabout?” asks Steve Watts, SecurEnvoy’s co-founder.
Watts believes that it is incumbent on companies to make security as easy and intuitive as possible. “With the research showing that over half of the respondents to the survey expressed a belief that formal training and awareness programmes should be conducted on a regular basis to educate staff on IT security issues, it really comes down to making the technology involved as easy as possible for employees to use on a day-to-day basis,” he said.
“The solution, I believe, is to use the available technology more wisely.” He recommends the use of mobile phones, which nearly all staff have in their pocket or handbag, as a means of tokenless two factor authentication. “If you make the technology easier to use, you can achieve stakeholder security buy-in a lot more easily,” he added.
New Irish legislation, due to come into effect 2014, will require medium and large companies in Ireland to implement formal data protection training and have a designated data protection officer.