Infosec 2009: Employee behaviour and information security risk

In today's global environment, the increasing technologising of business has allowed companies to reach a wider audience. This has brought benefits, such...

In today's global environment, the increasing technologising of business has allowed companies to reach a wider audience. This has brought benefits, such as increased customer base, global suppliers, economies of scale, however it has also brought significant risk, not least to the security of information, writes Robert O'Brien, chief executive at Baronscourt.

Many organisations have invested in technology to protect the perimeter, however, as recent headlines have shown, they have overlooked the single biggest threat to the security of information: people. The majority of major data breaches that have occurred over the past 18 months can be directly attributed to employee behaviour, an inability to follow policies and procedures that has had catastrophic results; millions of personal records being compromised, a plethora of government investigations, heavy fines and sanctions, reputational damage and the media baying for blood.

Your employees are at the root of effective information governance, and without making them aware of their responsibilities with regards to the guardianship of data, you are placing your organisation at increased risk of a data breach. All major regulatory frameworks, such as ISO 27001 and PCI DSS recognise this, and stipulate that all users must be included in IT compliance initiatives.

Organisations must ensure that employees read and understand policies and procedures relating to IT security, and be able to evidence this in order to achieve compliance. And this must be an ongoing process. The data security threat landscape is an ever evolving one, and frameworks, regulations and internal IT security initiatives must change in order to reflect this and ensure sustainable IT security and compliance.

This continual process of managing user accountability and awareness is an impossible task without the help of automation. To fully utilise the technology and place the onus of information security at the foot of the employee, organisations should:

  • Automate the policy creation process, allowing you to quickly create new policies from scratch or amend existing policies to react to changing regulations or threats - automatic versioning control will provide an audit for all original policies sent.
  • Use automatic targeting and scheduling technology, which allows you to ensure that you target all users in the organisation - look for products that include laptop users, PDA and mobile users, remote/web access users and non computer users.
  • Obtain a response every time a user takes action against a policy to capture an audit trail of user response to any policy communication. Even those staff who don't provide a positive response can be brought up to speed as part of a remediation project.
  • Automate surveys and risk assessments to test employee understanding and present a picture of your IT security posture at any given time. Auditors like to see high user participation percentages.
  • Automation allows for ease of audit and reporting. Products with sophisticated, multi-level reporting and audits will help you identify problems and risk areas, and take immediate remedial action.
  • Automation allows you to develop the repeatable processes that are the key to sustainable compliance and IT security.

Best practice IT security demands that users are trained and educated on their responsibilities with regards to sensitive data, and this simply cannot be achieved using traditional methods of corporate communication. Automation has been proven to increase user awarness levels by at least 30% in three months, providing a quick win for any IT security and compliance department.

Baronscourt is exhibiting at Infosecurity Europe 2009 on 28-30 April 2009 at Earls Court, London.

Read more articles from Infosec 2009 >>

Read more on Hackers and cybercrime prevention