In this section:
Home > Headlines > Story

31/03/2008 - Headlines - Security

Do staff follow information security policies?

Computer keyboard being viewed through magnifying glass It's all very well having information security policies, but businesses need to be aware that they aren't a magic bullet for changing employee behaviour, it was claimed this week.

The latest 'Information Security Breaches Survey' by PricewaterhouseCoopers (PwC) - a biennial study carried out for the Department for Business, Enterprise & Regulatory Reform (BERR) - found that 7 out of every 8 large firms now had an information security policy in place.

However, this improvement had not necessarily translated into better security awareness among employees when it came to use of IT, according to PwC.

Chris Potter, a partner at the firm who led the survey, said: "The critical issue (for employers) is changing the behaviour of their people. A 'click mentality' has grown up - users do what expedites their activity rather than what they know they ought to.

"It is a bit like the road speed limit - everyone knows what they ought to do, but only a few actually do it. Only when behaviour changes do businesses realise the benefits of a security-aware culture."

Fewer restrictions

The survey revealed that companies were now placing greater trust in their staff, and wanted them to use technology to improve their effectiveness.

Over half (54%) of UK companies now allowed staff to access their systems remotely - up from 36% in 2006. At the same time, the proportion of businesses restricting internet access to just some of their staff had almost halved, from 42% to 24%. Only 9% now refused to allow any of their staff to access the internet at work.

However, the survey showed that staff were increasingly being targeted by "social engineering attacks" - where outsiders tried to obtain confidential information from employees.

In addition, businesses were becoming more concerned about what was being said about them on social networking sites, including by their own staff.

Against this background, companies were "hardening" their technical controls. However, PwC said technology controls alone were not enough. The key was to ensure "security-conscious behaviour" by making staff aware of policies and then monitoring behaviour to ensure it was in line with those policies.

The full results of the survey will be released at the end of April at the Infosecurity Europe event in London.