Report: Security awareness policy still hazy at most organisations

While most users believe that their organisations have clear security policies, a recent study also finds that few are actually formally trained and many make security decisions without guidance from management.

Security awareness policies are still taking a back seat in many organisations, leaving users with a hazy idea of what they are and are not allowed to do, security-wise.

Many organisations are just interested in getting the employee to tick a box to say he's read the policy, so they can fire him if he does anything wrong.

Martin Smith,
founder and CEOThe Security Company Ltd.

A new report, published by Reading-based email and Web security company Clearswift Ltd., shows that many organisations fail to update and enforce their usage policies to reflect changing styles of work, as when employees work from home or bring their own equipment into the office.

The study is based on a survey of 2,000 office workers in the UK, US, Holland, Australia and Germany, and was conducted by London-based Loudhouse Research Ltd.

The report found that 71% of office workers thought their company had a clear Internet policy that most employees understood. However, this confidence seems to mask a lack of real knowledge: Half of respondents admitted they had never had a dedicated training session on their current company's security policy, and 38% had received no training at all about security in their current job (whether in a dedicated session or otherwise). Half also claimed that there were informal rules about Internet usage, and that "people know what's okay regardless of what the official policy says." Fifteen percent said they were concerned they might breach policy inadvertently with some of their activities.

"This suggests that even those who have had some training (at an induction or a scheduled session) are not provided with up-to-date information as they move through their organisations," the report says.

This high level of confidence, combined with lack of real knowledge, the report says, is a recipe for disaster, especially as employees begin to bring devices of their own, such as USB sticks or laptops, into the office environment.

Such a combination resulted in what the report describes as "IT freestyling," when employees work to vague informal rules and make their own decisions with little guidance from management. This means that 44% of respondents reported storing company data on personal memory devices, 39% downloaded software to their own computers at work and 25% used personal accounts on social networks to comment about their jobs.

Richard Turner, chief executive officer of Reading-based Clearswift, said the figures show that businesses are failing their employees by not making security policies clear and regularly reinforcing them. "The policy document is often something the employee signs at induction, and then is never referred to again," Turner said

Turner advocated greater use of system-generated warning messages to help employees do the right thing and remind them about what is and isn't permitted. For instance, if a user has been surfing the Internet for two hours, the system might ask them to confirm that the surfing is work-related, or it might ask them to confirm they want to attach a confidential file to an outgoing email message. Such messages would reinforce policy and help users operate more securely, Turner said.

But Martin Smith, founder and CEO of Cambridgeshire-based awareness specialist The Security Company Ltd., argued that one of the reasons companies fail to convey policies and procedures is because security programs are generally managed by the IT department, a group that seldom interacts with its user community. "Security is dominated by techies, whereas most breaches occur through human failure," he said. "The user is the weakest link."

"Many organisations are just interested in getting the employee to tick a box to say he's read the policy, so they can fire him if he does anything wrong," Smith said. "The policy is often just an excuse for doing nothing."

Ironically, Smith said, most users want to be secure and want to be given information that will help them to be so. "They all use the Internet at home, they know about ID theft and credit card scams, and they want to protect their kids, so they really understand what Internet security is all about."

Robbie O'Brien, a director at Metacompliance Ltd., which specialises in IT governance, said many companies fail to create security awareness until it is too late. "It's only when they have a problem -- such as an employment tribunal, or some litigation -- that they take it seriously," he said. "When the company's actions come under scrutiny, they find they haven't even dealt with the minimum duty of care. Even the concept of duty of care is almost alien to many organisations that we deal with."

Read more on Security policy and user awareness