Nearly eight out of 10 public sector employees ignore information security policies and indulge in insecure behaviour, according to a survey of IT and information security managers in 1,000 large and medium firms in the public sector, finance, law, manufacturing and media sectors.
The research, conducted by SafeBoot, a supplier of mobile data encryption technology, was done before a spate of revelations of data leakage headed by the HMRC's loss in the post of personal and banking details of 25 million child benefit recipients.
Overall, the research showed 59% of firms spent less than 10% of their IT budgets on security, even though 82% (88% of public sector firms) had a security policy. Most firms communicated the policy using memos (34%) and e-mail (29%).
Some 54% of respondents said at least half of their employees ignored the firm's security policy. But this rose to 79% for public sector staff.
Staff who ignore the policy (39%) do so because they do not take it seriously. One in five is ignorant of the threat posed by data leakage however, this rises to 51% for public sector staff.
Public sector staff scored worse that private sector staff in nearly every category of unsafe behaviour. Nearly nine of 10 would open unknown e-mails compared with seven out of 10 on average. Three-quarters would connect an external device such as an iPod or digital camera to their work PCs, and 71% would download company data. Nearly six of ten used unencrypted USB memory devices, and 35% transported data unencrypted on mobile devices.
In your opinion what percentage of employees ignore your security policy?
% Response Overall Finance Public Sector Legal Manufacturing Media
10 - 25 per cent 19 37 3 44 5 6
25 - 50 per cent 27 14 18 32 32 39
50 - 75 per cent 38 32 56 18 48 36
75 - 100 per cent 16 17 23 6 15 19