Paula Davis, global head of client services at standards, compliance and business solutions provider, SAI Global, told Infosecurity: “To me there are three big things coming out of this survey: I think views are broadly positive, so we've got a willing target audience group there, but I think we’re missing an opportunity with regards to the engagement of managers and having them really lead by example in the area of security behaviours. I think we’re also missing an opportunity around awareness training that will effectively bridge the gap between security policies and security practices around the workplace".
The main conclusions of the report include:
- There are broadly positive attitudes to information security;
- The majority acknowledge the importance of information security to business;
- A significant minority is unwilling - or unable - to put positive attitudes into practices;
- 95% of respondents believe information security important, but 25% says they have not received information security awareness training;
- 20% don’t know how to report a security incident;
- Almost a quarter do not believe it appropriate for employers to monitor emails and internet use; and
- 31% find that information security requirements interfere with their ability to do their job.
SAI Global believes the discrepancy between the belief that information security is important and the view that policies interfere with people’s work, could indicate that more efforts need to be made to “forge the connection between security policies and protection of organisations and their employees.”
Furthermore, future security awareness or training initiatives “should be targeted at all employees, including the board, managers, temporary staff and contractors, with the overall goal of creating a security conscious workforce – from the top-down.” People not receiving training, or not being aware of how and where to report information security incidents, “could pose a security risk to companies”, the report states.
For example, 19% do not know where to find their organisation's security policy, with 14% choosing 'neutral'; and 14% have not read and understood these policies. What Davis called a "worrying minority" of 6% do not always follow information security policies, with 18% choosing 'neutral', and 7% saying they are not encouraged to work securely by their manager.
Are policies too complicated?
“Many organisations would say ‘we’ve got a policy, all the correct behaviours are written down, people know what they should do’. I think that’s a fairly risky position to take”, Davis said. “I think the current problems in the economy show that – what’s happening in the economy right now isn’t about a lack of rules, it’s a lack of understanding and a lack of application of those rules. And I think this is true in security circles. The rules are there, they exist, they are written down, but do people really understand them and know how to apply them?”
One barrier could be that some employees believe that you have to understand the security technology in order to behave in a safe way, but as Davis said: “It’s the case that you don’t need to be an IT expert, it’s the old ‘driving a car’ analysis: you can drive a car perfectly safely without knowing the first thing about how the engine works, and I think that’s true for security. We need to learn secure behaviour and practices, we don’t need to be IT experts to do that.”
What could be different?
Asked what the information security industry could do to change the trend of high awareness, but low compliance, Davis told Infosecurity: “What the information security industry can do, is focus a little more on the human element of security.”
She said that although the technology and processes are “absolutely vital”, there is a big gap, which is the human element: “Once we’ve put all these technical measures in place, once we’ve put all the processes and procedures in place, we are reliant upon the behaviour of the average employee to close the loop and to be the final piece in the jigsaw to protect the organisation from security breaches.”
Results:
|
|
Strongly agree |
Agree |
Neutral |
Disagree |
Strongly disagree |
|
Infosecurity is important |
56% |
39% |
3% |
1% |
0% |
|
Infosecurity interferes with ability to get job done |
6% |
25% |
24% |
35% |
10% |
|
Employers should monitor internet and emails |
8% |
39% |
29% |
18% |
5% |
|
Individuals are responsible for infosecurity |
56% |
41% |
2% |
1% |
0% |
|
Know how to report a security incident |
18% |
46% |
16% |
18% |
2% |
|
Know where to find the infosecurity policy |
21% |
47% |
14% |
17% |
2% |
|
Know where to go for help and advice |
26% |
45% |
13% |
14% |
2% |
|
Read and understood infosecurity policies |
20% |
52% |
15% |
12% |
2% |
|
Always follow infosecurity policies |
22% |
55% |
18% |
5% |
1% |
|
Encouraged to work securely by manager |
23% |
49% |
22% |
6% |
1% |
|
Received awareness training |
25% |
38% |
15% |
18% |
4% |
|
Would report an incident |
25% |
53% |
19% |
3% |
0% |
The SAI Global study included 10 companies and a total of 1282 respondents.