UK companies are still failing to recognise the importance of properly implemented and managed security, assuming it is just a 'technology issue' rather than a fundamental part of the way their organisation works.
By passing the buck wholesale to the IT department companies are exposing a number of flaws across their organisation -- from the top down -- and even a tightening of legislation and increased emphasis on accountability and corporate governance has done little to interest the head-in-the-sand 'higher ups' that they should be getting involved and delegating tasks effectively.
According to independent research conducted by Coleman Parkes on behalf of LogicaCMG, 53 percent of companies entrust the IT department with the sole enforcement of the information security policy.
In addition, 71 percent of companies rely on the IT department to implement information security policies and approaches -- despite the fact that much of the planning should relate to HR and legal issues as much as to the technology in place.
Dave Martin, principal security consultant at LogicaCMG UK, said IT alone is not enough and "process and policy are central to ensuring information security governance". Invariably the IT department, for a number of reasons, are ill-equipped to issue such policy. Nor they would argue should it be their job.
Sal Viveros, SME director at security giant McAfee, believes one of the biggest obstacles to effectively managing security issues centrally from the IT department is the perception of other employees.
Viveros told silicon.com: "A lot of people tend to think of the IT department as being just the guy who takes an age to fix their PC or tells them what they can and cannot have installed on their machine or what machines they have."
Viveros said as a result those in the IT department are often seen as "the bad guys" and coupled with a perceived lack of seniority within the company this makes it difficult for them to dictate, manage and enforce policy.
While staff may sit up and take notice of a policy handed down by HR or a member of senior management, because the trail of accountability and its direct link to discipline procedures is evident, employees may feel less inclined to treat seriously the requests of the IT department.
There may even be a 'the police have all the best drugs' level of resentment whereby employees being told not to do certain things assume those in the IT department handing out such rules are doubtless breaking them themselves and above such policy.
The issues involved are serious. Employees, who are rarely governed by stringent enough policies, are generally regarded as the weakest link in the security chain.
And the risks of making mistakes in this area are huge. In a separate study conducted by MORI, also on behalf of LogicaCMG, 83 percent of investors said a security breach of any kind would impact that companies' share price and 56 percent they would sell their shares in the event of a breach. And it's not just investors who would take issue with breaches -- according to the research 70 percent of customers would also 'vote with their feet' and boycot a Web site if there was the suggestions its security had been compromised.
The fact companies are seemingly doing little about getting on top of security is made all the more surprising by the fact companies are aware of such risks.
A massive 86 percent of the FTSE 350 companies researched said negative publicity for their company would be the key impact and a similar number (84 percent) said their brand would be damaged by a security breach.
Talkback
I agree with you, many companies do not know what the staff throws out in the waste.
A good Security Policy must encompass all aspects of the the business, including HR, IT and Management.
The process starts with the vetting of staff by the HR department and continual security awareness sessions from then on.
Strong information security policies must be in place and be seen to work.
We agree with the point being made but the emphasis should not be on the IT, HR or even the legal department – it needs to be on the board members of an organisation. It is imperative that the board understands the importance of the issues concerning IT security and make it clear that they support and adhere to the IT policies that are in place.
Policies, and the procedures that underpin them, are the only way to ensure that employees know where they stand and what is expected of them. Unless you state and communicate effectively what is acceptable use of IT, employees will not know they are doing anything wrong. If that communication comes from the top then there is no excuse for employee unawareness.