Leading a horse to water
Some companies, however, have taken the initiative to educate their workforce, beyond having a security policy in an employee manual or posted on an internal Web site.
Historically, companies have viewed the issue of security and antivirus protection as a problem for their IT departments. And employees at these companies have held a similar view, said IT managers and security officers.
But the tide seems to be turning, even among employees.
"Employees are now concerned with who has access to their data and are also asking questions about whether our backup tapes are adequate," said the Westfield Group's Breth. "Now they're taking ownership of the data and making sure it's secure, rather than just saying it's the IT department's problem."
Breth noted the new privacy regulations are helping to drive the increase in employee awareness and participation.
Westfield's chief executive has also brought up the issue of IT security during the past two companywide meetings, and that has helped set the tone for visibility on the issue, Breth added.
"Over the past six months, the level of communication we've had with employees has ramped up, and people are being told about the role they play in keeping the whole company secure," Breth said. "Instead of a printed policy inside our employee manual that they read on their first day but then it sits on the shelf, we're now emailing people our policy, and they're hearing about it at our quarterly meetings."
Westfield is also supplying its employees with frequent security and antivirus tips that go beyond avoiding unsolicited email attachments.
Convergys, meanwhile, posts a security newsletter on its intranet every two weeks, displays security-related posters throughout the workplace and is currently working on making some of its security and antivirus training mandatory, as well as requiring some familiarity with the company's security policy as part of the annual review process, Moore said.
"The big problem with educating employees on security issues is being able to track whether you're getting through to people," Moore lamented. "Everyone knows about viruses, for example, but half the people don't have antivirus software. They're the ones who become the [spam] zombies and infect the entire human race."
