Security Still a Major Concern

Security Still a Major Concern

Seven out of eight organizations are aware of the need to implement effective security policies even though the high priority given to information security (IS) does not translate into improved awareness among employees. This and other findings were among the main results of the 2008 Information Security Breaches Survey conducted by PricewaterhouseCoopers (PwC) LLP on behalf of the UK Department of Business, Enterprise, and Regulatory Reform. The study of more than 1,000 IS professionals in the United Kingdom also found that many companies are looking to change employee behavior as a way to further improve IS efforts.

"What companies are realizing is that increasing security awareness is only part of the answer," says PwC Partner Chris Potter, who led the survey. "The critical issue is changing the behavior of their people. Only when behavior changes do businesses realize the benefits of a security-aware culture."

More specifically, the survey found that employees are increasingly targeted by social engineering attacks to obtain confidential information. Worse, there is a growing concern among survey participants about what is said about their organizations on social networking sites, such as MySpace, Facebook, and Bebo, and some employees have even posted confidential corporate information on the sites. To counter these problems, organizations are tightening security controls.

According to the survey, many organizations are using strong, multi-factor authentication as a security measure — 14 percent of small businesses and 53 percent of large companies now use multi-factor authentication for some of their systems. Furthermore, nearly 67 percent of companies that allow staff to access their systems remotely require additional authentication over that access, while the vast majority of companies represented in the survey use a virtual private network to access corporate resources remotely. In addition, 81 percent of companies block access to inappropriate Web sites and 86 percent log and monitor staff access to the Internet.

Besides implementation of security controls, companies are going one step further by implementing IS policies, educating staff on these procedures, and monitoring employee compliance. For example, the proportion of companies having an IS policy has quadrupled over the past eight years and 68 percent of survey respondents give a high priority to having an IS policy. Additionally, while 12 percent of surveyed organizations do not have an IS policy, these companies do have an integrated set of business policies that include IS measures and controls. Finally, nearly two-thirds of these organizations welcome more employee education about IS risks.

"Traditionally, when organizations have attempted to improve employee awareness, they have used a combination of computer-based training and face-to-face presentations to get security messages across," says Martin Smith, chairman and founder of The Security Company Ltd., a consulting organization that promotes security awareness. "To be truly effective, awareness messages need to be personalized and tailored to the audience. Messages also need to be kept up-to-date, so sharing experiences with other organizations is important. But, if you want to really change staff behavior, you must put metrics in place to measure actual performance, to ensure compliance, and to reinforce and reward the right conduct."

For more information about the survey, visit the PwC Web site.

Site Search: