Although most organisations have a security policy, many are failing to enforce it properly, a survey by Computer Weekly and the NCC reveals.
IT security professionals have identified lack of awareness among employees and managers as the biggest obstacle to good information security in their organisations.
A survey of IT security professionals in 200 organisations by Computer Weekly and the National Computing Centre showed that poor security awareness outranked shortage of money and resources as the biggest concern.
The survey, conducted in September and October last year, among members of Computer Weekly's Info Security User Group and NCC members, suggested that many organisations were not spending their security budgets effectively. It found too many organisations were focusing on technical solutions rather than taking a business-wide approach.
Organisations in every sector of the economy, including finance, manufacturing, education, health, utilities and IT services, took part in the survey. The firms ranged in size from less than 100 employees to more than 5,000.
The research showed that the problem is not the lack of a formal, written security policy - 80% of organisations did have a formal policy and, in most cases, they were signed off by senior managers. The problem was that these policies were not effectively communicated to staff.
Most firms took basic steps to inform their employees about the importance of information security. Security policies were placed on the intranet by 70% of respondents and 45% handed policies to staff. Another 50% gave their staff training on security threats.
But once these one-off activities have been completed, there is little emphasis on maintaining security awareness. Less than 25% regularly gave out information on new security risks or ran an ongoing information security awareness campaign. Only 41% of respondents were satisfied that their information security policies were properly enforced.
As a result, less than 15% of organisations rated the security awareness of their employees as either high or very high, and only 40% were happy with the information security awareness of their top managers.
One of the biggest areas of concern was the poor enforcement of security policies when staff left the company. Organisations did not take steps to close down web and internet access, or to prevent theft of information. Fewer than 50% of the security professionals surveyed felt their organisations were doing enough.
Part of the problem was the lack of resources. The research showed that 45% of the organisations did not have a dedicated person responsible for security. Only 33% of the organisations had a specific security budget.
Spending on information security ranged from between 1% and 5% of IT budgets - less than the 3% to 5% recommended by Ernst & Young's security practice. Smaller firms spent proportionately more - between 6% and 10%.
But whether this money is well spent is another question. The research showed that, whatever their budget, organisations are not prioritising their spending. Less than 50% carried out a formal risk analysis, and less than 25% carried out a cost benefit analysis on their security projects. Only 25% had a formal register of their information security assets, and just 20% attempted to classify the importance of types of information.
Mark O'Flaherty, partner in information security at Ernst & Young, said, "Companies are not spending money in the right areas and they may be installing security systems that do not reflect the risks. Companies should not be using a scattergun approach - they should focus their security budgets on critical assets."
It is clear that having a formal security policy alone will do little to improve security, but the survey provided compelling evidence that improving security awareness among staff is the biggest factor for good security.
Martin Smith, director of the Security Company, said, "One of the quickest and easiest ways to improve security is to raise awareness. About 80% of the organisations I speak to are doing nothing. And of the 20% that are, it is rarely adequate."
Raising awareness requires much more than a few posters and a page in the employee handbook. Having top management on-board is one of the most critical factors for success.
Taking a personal approach to information security is another effective strategy, said O'Flaherty. Security should be an objective for all employees. He advised IT security managers to look for people leaving passwords on their desks and to invite offenders for a personal chat.
"When incidents happen, make them public. If a virus has been detected, send an e-mail to staff. If there has been misuse of e-mail, make that public," he said.
Above all, security awareness needs to be an ongoing process. Staff need to be continually reminded of the risks to make information security directly relevant to their work they do.
Information Security Policy and Practice is available at £125 to non-members or £75 to members from the National Computing Centre
Reported security attacks
In the survey, companies reported attacks that included:
Denial-of-service attacks on port 80 of the web server, including buffer overflow vulnerabilities
"Greeting card" left on the application server
A departmental web server was hacked and defaced
Blaster virus led to the web service not being available and the website data being deleted
Denial of service attack on an extranet which necessitated rebuilding the service to ensure no further penetration. The extranet was down for a week.
An open FTP server was vulnerable to abuse through storage of undesirable files
The automatic update feature of the virus checker acted as an open relay and was used to relay spam
The home page of a corporate website was defaced.
Security survey results in brief
Less than 50% of organisations carried out a formal risk analysis
Less than 25% carried out a cost benefit analysis on their security projects
Only 25% had a formal register of their information security assets
Only 20% attempted to classify the importance of different types of information.
This was first published in January 2004