Organisations typically rely on technology to ensure data protection and regard employees as a potential threat, but a growing number of information security teams are looking for ways to make users their biggest allies.
The focus is shifting from doing the bare minimum to get a tick in the compliance box, to actively involving users as regulations change, regulators get more powers and general awareness around data protection increases, says Eamonn Medlar, head of systems security at WPP Group.
"People are suddenly getting fined for having their laptop stolen from their house, and this has made people sit up and take notice," he said.
The monetary penalties imposed by the Information Commissioner's Office (ICO) are not for the laptops being stolen, he says, but for being reckless with sensitive data.
Medlar, who believes the fact that organisations are being hit with penalties despite having all the ticks in the compliance boxes is helping to move things on, is to take part in a panel discussion on user-centric security at Infosecurity Europe 2011 at Earls Court, London, from 19 to 21 April.
The rest of the panel, led by Jinan Budge of Forrester Research, comprises Mark Logsdon of Barclays and Martyn Styles of law firm Allen & Overy.
The panel will look at key factors to incorporate into any employee awareness training, especially how best to make people care by helping them relate to the corporate risks in the same way they would personal risk.
This is important, says Medlar, because the IT landscape is changing rapidly, the corporate perimeter has disappeared and users are no longer dependent on IT departments for their equipment, often preferring to buy their own kit.
"IT security professionals need to talk to the users constantly, not to tell them what they cannot do, but as a trusted friend who is there to help them do the right thing and keep personal and corporate data safe," he said.
For most of the time users should be allowed to be as creative in their use of technology as they need to be to do their job, says Medlar, and the only time IT security should step in is to prevent them from doing something risky.
Tools for protection
Information security professionals need to ensure users have the tools they need to help them sanity check what they are doing on the internet and get the necessary training to make them aware of the risks of doing certain things, he says.
"Security policies need to be backed up by a well-crafted employee awareness programme that is fit for purpose, not one that is irrelevant, out of date or takes too long," says Medlar.
The best examples of such programmes incorporate short, regular reminders or warnings to users around security issues, which, he says, users generally appreciate as long as the reminders do not get in the way.
Another good example, says Medlar, is a creative and humorous guide put together by a FMCG company that includes real-world examples of where company security rules were applicable and consequences of not applying those rules.
"Information security professionals need to move from being viewed as bouncers at the door to being viewed as close, personal bodyguards who give users freedom by protecting them and warning them about the risks," says Medlar.