2008 Information Security Breaches Survey

Companies are becoming increasingly aware of the need to have information security policies in place - with seven out of eight large businesses now claiming to have one. However, experts warn that the high priority given to information security by companies does not necessarily translate into improved security awareness among employees. Increasingly, companies are realizing that to tighten up further on information security, they have to change their people's behavior.

These are among the early findings of the 2008 Information Security Breaches Survey (ISBS) carried out by a consortium, led by Pricewaterhouse Coopers. The survey shows that companies are placing greater trust in their staff and they want them to use technology to improve their effectiveness.

At the same time, the survey shows that employees increasingly targeted by social engineering attacks, where outsiders try to obtain confidential information from employees. Businesses are becoming increasingly concerned about what is being said about them on social networking sites as some employees have posted confidential information on these sites.

Key to making sure that staff remain the organization’s greatest asset is to ensure they behave in a security conscious way. Increasingly, companies are focused on setting clear policies, making staff aware of the policies and then monitoring behavior to ensure that it is in line with those policies.

The report also says that there is some correlation between how clearly senior management understands security issues and whether a security policy is in place. Security awareness is not just an issue for a company's staff. Nearly two-thirds of very large companies would welcome more education for the general public about information security risks. Having a security policy alone does not magically improve security awareness among staff.

The overwhelming majority of companies take steps to raise awareness. The priority given by senior management makes a difference in the extent to which security awareness is drilled into all areas of the organization. What companies are realizing is that increasing security awareness is only part of the answer. The critical issue is changing the behavior of their people.

A 'click mentality' has grown up - users do what expedites their activity rather than what they know they ought to. It is a bit like the road speed limit - everyone knows what they ought to do, but only a few actually do it. Only when behavior changes do businesses realize the benefits of a security-aware culture.

Traditionally, where organizations have attempted to improve employee awareness they have used a combination of computer-based training and face-to-face presentations to get security messages across. But these methods are somewhat transient - much more collaborative and longer-lasting programs are needed. Genuine behavior change is essential, and this takes time and effort.