Half of UK security managers are concerned about end-users' lack
of
security awareness, a survey has revealed.
In a poll of more than 700 security professionals, the biggest
concerns were a lack of training (48%), an unsupportive company
culture (48%), poor employee understanding of policy (46%) and a
lack of defined
accountability (42%).
Concerns about these obstacles to security compliance are
significantly higher than traditional concerns, said the report on
the joint (ISC)2 and
Infosec Europe 2009 survey.
Only 22% said they are concerned about a lack of budget and 19%
said they are concerned about the ability to procure the latest
technology.
"The challenges are shifting from the systems to people," said
John Colley, EMEA managing director for (ISC)2.
The relatively low concern about budgets suggests security
continues to be viewed as a business imperative, even in the
current economic climate, he said.
According to Colley, businesses have a huge task ahead to ensure
employees understand what is expected of them in terms of IT
security and why. "Unfortunately, security requirement are not yet
well understood, or worse flouted, often with management support to
get the job done," he said.
The survey found that although 60% said there were punitive
consequences for non-compliance with security policy, only 2% felt
those sanctions were understood by everyone.
According to Colley, many organisations are still in the early
stages of improving security awareness.
"The generic programme delivered by the company intranet cannot
be adequate, because one size does not necessary fit all," he
said.
Colley is to give a presentation on getting the basics of
security right at
Infosecurity
Europe 2009 at Earls Court in London on 30 April.
Infosec 2009: an essential guide for IT professionals
>>