The key to improving IT security rests with staff, according to new research released today that revealed companies have to change employee behaviour in order for security issues to be solved.
The findings came from the 2008 Information Security Breaches Survey (ISBS) carried out for the Department for Business, Enterprise & Regulatory Reform (BERR).
The research revealed that the proportion of companies with active IT security policies in place had quadrupled in the last eight years with seven out of ten large businesses now actively enforcing security policy.
It also found that 68 per cent of companies that had a high priority for security now had a security policy in place, an increase from 55 per cent in 2006 when the same survey was conducted.
"What companies are realising is that increasing security awareness is only part of the answer. The critical issue is changing the behaviour of the people," said Chris Potter, partner of PricewaterhouseCoopers LLP, which carried out the survey.
"A 'click' mentality has grown up - users do what expedites their activity rather than what they know they ought to.
"It's a bit like the road speed limit - everyone knows what they ought to do, but only a few actually do it. Only when behaviour changed do businesses realise the benefits of a security-aware culture."
The focus on security policies by business had much to do with the fact that they were putting much more trust in their staff.
The survey said that 54 per cent of UK companies allowed staff to access systems remotely, up from 36 per cent in 2006. The proportion of businesses restricting internet access has nearly halved.
Staff were becoming increasingly targeted by social engineering attacks. Businesses were wary of websites like Facebook and MySpace because of the increasing habit of employees divulging confidential information.
To combat the threat, businesses had increased technical controls, with the use of strong authentication doubling and a Virtual Private Network (VPN) now being almost universal among large businesses for remote access.
Author: Asavin Wattanajantra
IT policies key to maintaining data security