No matter how many policies and training schemes are in place at firms, basic human error still poses the most likely threat to a company's IT security, say IT directors.
Network security firm Clavister commissioned a YouGov survey of 212 IT directors and found that 86% believed that the most likely cause of IT security issues came from their employees.
They said the reasons for this were down to staff ignoring, not being made aware of, or not being sufficiently trained on security policies, as well as making mistakes or committing industrial espionage.
The findings show that 31% of IT directors believe the most likely cause of IT security issues is staff consciously ignoring security policies, and 37% say they are down to human error.
In addition, 13% blame insufficient training and awareness of policies, and 5% point to industrial espionage.
Clavister said security policies must have the following features if they are going to have a chance of working:
1. Design the policy so that it is easy to read and understand
Do not make it too complicated and technical. Use examples demonstrating each point.
2. Educate the users about the policy
It is absolutely key that they understand why rules are needed and what it means to them both personally and in their job.
3. Enforce consequences
Users who do not comply to the policy must face consequences.
4. Make it easy to do the right thing
Do not just make a web policy which states that something is forbidden implement a content filtering gateway, for example, which makes it impossible to do the wrong things.
5. Dictate a hierarchy of access permissions
Grant users access only to what is necessary for the completion of their work.
6. Monitor & improve
Monitor the policy compliance using both security information and event management systems as well as manual spot checks. Do not be afraid to update your policy it is a living document. If users do not understand, give more examples. If it is difficult to comply, find new support technologies they are there to help you.