Employees the weakest link in IT security

Mar 27 2008 by Nic Paton Print This Article

There is growing recognition among employers that, however much time and money they spend on ramping up their IT security, it counts for very little if they fail to change the practices and mindset of their workforce.

More and more firms are clamping down on their IT security, a study in the UK by consultancy PricewaterhouseCoopers has found, with seven out of eight large businesses now claiming to have a security policy in place.

But the research among more than 1,000 employers conducted with the government's Department for Business, Enterprise & Regulatory Reform has concluded that, without changing people practices, this flurry of activity is a waste of time.

Yet a series of high-profile data breaches and losses of personal information by the government over the past few months may mean that attitudes are finally changing.

The PwC research has coincided with a study by the UK government's information and data watchdog, the Information Commissioner's Office, that has found that eight of 10 of the UK population is now taking looking after their personal information much more seriously.

Nearly nine out of 10 people polled said they had now started checking their bank statements on a more regular basis and 85 per cent now refused to give out personal details wherever possible.

The PwC research identified changing employee behaviour as the key to improving information security.

Companies were placing greater trust in their staff and wanted their workers to use technology to improve their effectiveness, it found.

For example, more than half now allowed staff to access their systems remotely (up from more than a third in 2006), with all very large businesses polled giving remote access to at least some staff.

At the same time, the proportion of businesses restricting internet access to some staff only had nearly halved (from 42 per cent to 24 per cent), and fewer than a tenth gave no staff access to the internet.

Yet the survey also showed that staff were being increasingly being targeted by "social engineering" attacks, where outsiders tried to obtain confidential information from employees.

In addition, businesses were becoming increasingly concerned about what was being said about them on social networking sites such as MySpace, Facebook and Bebo, where some staff had been found to have posted confidential information.

Against this background, companies were hardening their technical controls by using better authentication methods, with the number using "strong" authentication nearly doubling since 2006.

Two-thirds of companies that allowed staff access to their systems remotely also now required additional authentication over that access, with virtual private networks almost universal among very large businesses for remote access.

More than eight out of 10 large companies blocked access to inappropriate websites and 86 per cent logged and monitored staff access to the internet.

Companies were also increasingly setting clear policies, making staff aware of them and then monitoring behaviour to ensure that it was in line with those policies, the survey found.

The proportion of companies that had an information security policy had quadrupled over the past eight years.

Large businesses remained more likely to have a security policy, with seven out of eight doing so and some of the 12 per cent that did not have a policy per se had an integrated overall set of business policies that included information security.

More than two thirds of the companies polled that give a high or very high priority to security also had a security policy (up from 55 per cent in 2006) against 64 per cent of those that treated security as low or no priority.

There was some correlation between how clearly senior management understood security issues and whether a security policy was in place, PwC found.

However, even where senior management had a very poor understanding, more than half of those businesses had a security policy.

The biggest correlation was between security policy and risk assessment, with companies carrying out risk assessment nearly twice as likely to have a security policy in place as those that did not.

Chris Potter, partner at PwC, who led the survey said: "Of course, having a security policy alone does not magically improve security awareness among staff. The overwhelming majority of companies take steps to raise awareness.

"The priority given by senior management makes a difference in the extent to which security awareness is drilled into all areas of the organisation. Only one in five companies for whom security is not a priority at all takes any steps to raise the security awareness of their staff," he added. "What companies are realising is that increasing security awareness is only part of the answer. The critical issue is changing the behaviour of their people. A 'click mentality' has grown up Ė users do what expedites their activity rather than what they know they ought to.

"It is a bit like the road speed limit Ė everyone knows what they ought to do, but only a few actually do it. Only when behaviour changes do businesses realise the benefits of a security-aware culture," he concluded.