UK companies have become increasingly aware of the need to have information security policies in place, with seven out of eight large businesses now claiming to have one.
However, the high priority given to information security by companies does not necessarily translate into improved security awareness among employees. Increasingly, companies are realising that to tighten up further on information security, they have to change their people’s behaviour.
These are among the early findings of the 2008 Information Security Breaches Survey (ISBS) carried out by a consortium, led by PricewaterhouseCoopers LLP, on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR). The full results of the survey will be launched at Infosecurity Europe in London, running from April 22 to 24. Visit www.infosec.co.uk.
The survey shows that companies are placing greater trust in their staff and they want their staff to use technology to improve their effectiveness. For example, 54per cent of UK companies now allow staff to access their systems remotely (up from 36per cent in 2006); every very large business gives remote access to at least some staff. The proportion of businesses restricting Internet access to some staff only has nearly halved (from 42per cent to 24per cent), and only 9per cent give no staff access to the Internet.
At the same time, the survey shows that staff are increasingly targeted by social engineering attacks (where outsiders try to obtain confidential information from employees). In addition, businesses are becoming increasingly concerned about what is being said about them on social networking sites (such as MySpace, Facebook and Bebo), and some staff have posted confidential information on these sites.
Against this background, companies are hardening their technical controls:
Use of strong (i.e. multi-factor) authentication has nearly doubled since 2006. 14per cent of small businesses and 53per cent of large companies now use strong authentication for some of their systems.
Two-thirds of companies that allow staff to access their systems remotely require additional authentication over that access. Virtual Private Network (VPN) use is almost universal among very large businesses for remote access.
81per cent of large companies block access to inappropriate websites and 86per cent log and monitor staff access to the internet.
However, technology controls alone are not enough. Key to making sure that staff remain the organisation’s greatest asset is to ensure they behave in a security-conscious way. Increasingly, companies are focused on setting clear policies, making staff aware of the policies and then monitoring behaviour to ensure that it is in line with those policies. The proportion of companies that have an information security policy has quadrupled over the last eight years. Large businesses remain more likely to have a security policy; seven out of eight do so, and some of the 12per cent that do not have a security policy per se have an integrated overall set of business policies that include information security.
Some 68per cent of companies surveyed that give a high or very high priority to security have a security policy (up from 55per cent in 2006 when the last ISBS was conducted) compared with 64per cent of those that treat security as low or no priority (up massively from 13per cent in 2006).
There is some correlation between how clearly senior management understands security issues and whether a security policy is in place. However, even where senior management has a very poor understanding, 56per cent of those businesses have a security policy. The biggest correlation is between security policy and risk assessment; companies that carry out risk assessment are nearly twice as likely to have a security policy in place as those that do not.
Security awareness is not just an issue for a company’s staff. Nearly two-thirds of very large companies would welcome more education for the general public about information security risks.
Chris Potter, partner, PricewaterhouseCoopers LLP, who led the survey said: "Having a security policy alone does not magically improve security awareness among staff. The overwhelming majority of companies take steps to raise awareness. The priority given by senior management makes a difference in the extent to which security awareness is drilled into all areas of the organisation. Only one in five companies for whom security is not a priority at all takes any steps to raise the security awareness of their staff.
"What companies are realising is that increasing security awareness is only part of the answer. The critical issue is changing the behaviour of their people. A ‘click mentality’ has grown up – users do what expedites their activity rather than what they know they ought to. It is a bit like the road speed limit – everyone knows what they ought to do, but only a few actually do it. Only when behaviour changes do businesses realise the benefits of a security-aware culture."
What they say
Martin Smith, Chairman and Founder of The Security Company (International) Limited, a company that focuses on promoting behavioural change across all levels of organisations, added: "Traditionally, where organisations have attempted to improve employee awareness they have used a combination of computer-based training and face-to-face presentations to get security messages across. But these methods are somewhat transient – much more collaborative and longer-lasting programmes are needed. Genuine behaviour change is essential, and this takes time and effort.
"To be truly effective, awareness messages need to be personalised and tailored to the audience – staff need ownership, plus what works well for a bank won’t necessarily come across well on the shop floor. Messages also need to be kept up to date, so sharing experience with other organisations is important. But if you want to really change staff behaviour, you must put metrics in place to measure actual performance, to ensure compliance, and to reinforce and reward the right conduct."
Survey method
The research for ISBS 2008 was a quantitative telephone survey using a structured questionnaire. PricewaterhouseCoopers picked the sample randomly from a register of UK businesses, ensuring an appropriate mix of respondents to reflect the nature of UK businesses. In each case, the person identified as responsible for information security was contacted. In total, 1,007 computer-assisted telephone interviews were completed, each lasting on average 30 minutes. The interviews took place between October 2007 and January 2008. Figures for small businesses refer to those with fewer than 50 employees, large companies are defined as having more than 250 employees and very large businesses are those with more than 500 staff. Visit www.pwc.com/uk
