No matter how many policies and training schemes are in place at
firms, basic human error still poses the most likely threat to a
company's IT security, say IT directors.
Network security firm
Clavister commissioned a
YouGov survey of 212 IT directors and found that 86% believed that
the most likely cause of IT security issues came from their
employees.
They said the reasons for this were down to staff ignoring, not
being made aware of, or not being sufficiently trained on security
policies, as well as making mistakes or committing industrial
espionage.
The findings show that 31% of IT directors believe the most
likely cause of IT security issues is staff consciously ignoring
security policies, and 37% say they are down to human error.
In addition, 13% blame insufficient training and awareness of
policies, and 5% point to industrial espionage.
Clavister said security policies must have the following
features if they are going to have a chance of working:
1. Design the policy so that it is easy to read and
understand
Do not make it too complicated and technical. Use examples
demonstrating each point.
2. Educate the users about the policy
It is absolutely key that they understand why rules are needed
and what it means to them both personally and in their job.
3. Enforce consequences
Users who do not comply to the policy must face
consequences.
4. Make it easy to do the right thing
Do not just make a web policy which states that something is
forbidden implement a content filtering gateway, for example, which
makes it impossible to do the wrong things.
5. Dictate a hierarchy of access permissions
Grant users access only to what is necessary for the completion
of their work.
6. Monitor & improve
Monitor the policy compliance using both security information
and event management systems as well as manual spot checks. Do not
be afraid to update your policy it is a living document. If users
do not understand, give more examples. If it is difficult to
comply, find new support technologies they are there to help
you.