Employee Security Policies Clear as Mud

Wednesday, December 8, 2010 @ 05:12 PM gHale

If you ask employees, their awareness of their companies’ security policies is high.
In a survey of 2,000 office workers, software security company Clearswift found almost three quarters, 74 percent, felt ‘confident’ they understand their employers’ Internet security policies.
They define the policy as procedures designed to safeguard data and IT security, as well as maintain productivity.
The numbers, however, say something else.
Clearswift said in their summary of the findings, a third of those surveyed have not received any training on IT security since joining their firm. And more than two thirds of those who have not had training since they joined their organization more than five years ago.
“Pretty much every employee can remember a vague discussion about policy at some time in their career maybe when they joined their current employer or it may be from their previous job,” said Andrew Wyatt, Clearswift’s chief operating officer. “When security is kept in the shadows and not discussed openly, and only referred to when things go wrong, it is all too easy for office ‘folk-law’ to become perceived as official policy very quickly. If employees are not aware of when they have broken policies, in some cases because the policy is not even enforced, it can lead to a false sense of security or a belief that what they are doing is actually in line with the corporate policy.”
The research consisted of an online survey of 2,000 adult office workers in companies of more than 100 people or more where there were 500 respondents each from the UK, USA, and Germany, plus 250 each in the Netherlands and Australia.
“IT security companies have for too long made a living out of making their customers feel insecure, trading on fear and negativity to maximize profit,” said Richard Turner, Clearswift Chief Executive. “It is clear to me that to be more secure companies must first stop feeling insecure. By bringing IT security out of the shadows and educating employees on the risks and the protection in place, all organizations will ultimately benefit. Security should not be about cloak and dagger or fear and reprisals, it should be open, visible, evolving and engaging; above all it should be born out of knowledge and understanding.”
One in four of those surveyed felt their company could be better at communicating guidelines, with 63% blaming ignorance or a lack of understanding for security breaches, suffered by their organization. Perhaps this goes to show why 17% agreed security policies are “more about apportioning blame than protecting data.”
The survey also shows office workers around the world are using a range of technologies in order to do their jobs and manage their personal lives. The boundaries between work and home use and appropriate and inappropriate use of technology are ever-shifting and essentially unclear.
The survey showed a sense of IT free-styling, where workers apply their own rules to technology use, regardless of what official policy says. 44% of workers report storing data at work on personal memory devices, 39% download software to their computer at work and 25% use personal accounts on social networks to comment about their job. As one respondent put it “I access my personal email accounts and also do shopping during my lunch hour. I’m hoping that no-one can see my card details or read my emails.”
Most of the online activity during the day is likely personal, since only 14% use social media for work purposes. Email still dominates work communication, and much of this email works in the cloud, raising security issues of which employees may not be aware. 74% frequently use email and other web-based mediums to communicate with customers or clients about business.
“It’s time for companies to get to grips with making a policy a living, breathing part of their business that is relevant to everyday corporate life – not just a tick in the box when it comes to an induction period,” Turner said. “All too often, a policy is simply a document that is referred to only when something goes wrong – almost proof that someone ‘should have known better’. There is little or no point in having an IT security policy in place unless staff across the business are fully aware of it and, more importantly, understand the reasons why the rules are in place.”

Leave a Reply

You must be logged in to post a comment.