Information is a security risk

The majority of organisations in the UK are now highly aware of the dangers associated with poor processes and culture. They work hard to ensure that incidents of bullying, sexual discrimination and now age discrimination do not occur.

Indeed, Human Resources directors are investing in extensive employee training to ensure compliance with the new age discrimination laws. Yet these same individuals are often blatantly ignoring a far more serious aspect of employee and business welfare: the security of business critical information.

Without a robust understanding of the value of business information, including anything from personnel records to client lists, organisations can have little confidence that employees will behave appropriately.

In reality, a poor understanding of information value results in persistent business exposure to risk, whether through employees talking loudly about company-sensitive information in the local at lunch time, or losing laptops that hold confidential data.

Not just IT

Most organisations, however, treat information security as the sole preserve of the IT Department. While IT staff are undoubtedly specialists in security technology, are they really best suited to the job of deciding what information is confidential, how it should be treated and what level of security is required?

Take the Housing Association that had 600 users, all with broad system access. Two thirds of those individuals were actually employed by third party organisations. There was no control over these people, they were not legal employees of the company, and yet they had access to all internal systems. This is not an IT specific concern – this is a business critical issue to be addressed at management level.

It was only by engaging senior management with IT managers that the organisation was able to regain control and create tailored IT policies that reflected individuals’ status within the organisation. For those working for a third party, the policy was enforced by making it part of the corporate contract.

Such examples may be extreme but a lack of management responsibility more often than not leaves IT with little choice but to opt for an all-embracing lock down. With no user understanding, these strategies constrain productivity and cause significant user unrest.

Safeguarding company information depends as much on people as it does technology. Poor understanding among employees of the need for information security creates problems. Not only is the IT Department regarded as a villain for creating such tortuous procedures, but employees will actively attempt to find security workaround.

More often than not this results in passwords being written down in plain view and shared between employees to provide unauthorised individuals with access to systems. Such a lack of understanding also results in foolish behaviour – such as leaving a PC unlocked and open to anyone when away from the desk, or leaving laptops on the back seat of a car rather than locked in the boot.

Displaying the right attitude

While IT staff are undoubtedly specialists in security technology, are they really best suited to decide what information is confidential

Instilling the right attitude to company sensitive information into employees should be a core component of business activity. From the initial induction process to regular – annual or biannual – awareness sessions, if businesses are to protect their information assets, they need to make sure all employees are on board.

Simply asking each employee to sign to confirm that a 60-page data security policy document has been read and understood is not delivering information security awareness. Furthermore, it is meaningless – as an increasing number of companies are discovering during employee arbitration cases.

Giving an individual 24 hours to read the document with a ‘sign it or be unable to use the system’ demand is demonstrably unfair. Employees have no option but to sign. However, in an increasing number of cases that signature is deemed irrelevant when set in the context of information misuse.

Without doubt an information security policy is a key component of a successful and safe organisation, but it’s only once this awareness and good security culture becomes endemic that the IT Department can create and deliver tailored security policies that reflect the specific information requirements and sensitivities that exist across an organisation. These policies can then be enforced by the use of appropriate security tools, rather than a global lock down that fails to reflect local information requirements.

It is, of course, essential to monitor and measure the level of information security awareness across an organisation. Rather than send a blanket updated security policy document to each individual with the ‘sign and return or else’ message, organisations can use a policy distribution tool that includes specific questions for each user. This interactive approach provides an audit trail, with scoring to demonstrate the user’s understanding of the policy. Not only does this ensure that policies are being read and understood, it also highlights requirements for additional awareness training.

Critically, senior management need to make the information security culture and policy support a standard component of day-to-day business. From the gentle security reminders posted by the coffee machines to the requirement for encryption on laptops holding highly confidential data, it’s the senior managers that best understand the value of information within each part of the business.

Dereliction of duty

Instead of this comprehensive, integrated approach, most organisations endure a running battle between the IT Department and business, as a global IT lock down in response to poor information security attitudes is perceived to reduce productivity. The IT Department has no spare budget to introduce information awareness seminars, and senior managers appear to have no understanding of the business cost associated with poor employee understanding.

Simply passing the security buck to the IT Department time after time is costing many businesses both revenue and reputational damage. In the US, where every information security breach has to be acknowledged, several leading consulting firms have been vilified for the loss of unencrypted laptops holding the personnel details of a client organisation – including name, address and payroll information.

By proactively embracing information security issues, managers can work with IT to determine the most appropriate levels of security within each business area. This enables the organisation to invest in the right technology at the right place.

Rather than a consistent control measure that is imposed across all systems, resulting in protecting information that has no value, technology investments will actually reflect business value.