No matter how many policies and training schemes you put into operation, basic human error still poses the most likely threat to your company’s IT security according to IT directors.

This was the conclusion of research commissioned by network security vendor Clavister and conducted by leading international researchers YouGov.

86 percent of all IT directors polled believed that the most likely cause of an IT security issue came from their own employees.

And the story appears to be similar regardless of where the company is based and how big it is. Despite security policies and training being implemented, security problems continue to happen due to the human temperament.

The findings show that 31 percent of IT directors surveyed believe the most likely cause of IT security issues is staff consciously ignoring security policies; 37 percent put it down to human error, 13 percent was due to insufficient training and awareness of policies, and a further five per cent to industrial espionage.

Following the survey, Clavister has called into question current IT security products and policies and asks what companies can do to address flaws that are integral to us all as human beings.

“The purpose of a security policy is rather simple - to keep malicious users out of a network while monitoring potential risky users within an organization. To ensure compliance, however, is no simple task. Security policy documents tend to be very long and technical, and not written in a way which has meaning or importance for the average employee” says Andreas Åsander, VP Product Management, Clavister.

“For security rules to be adopted, users need to understand why they are important, and what the rules mean to them personally and professionally.”

Rather than write this off as an issue too broad to address, Clavister has developed a set of six recommendations for companies to consider. These include:

1. Design the policy so that it’s easy to read and understand
Do not make it too complicated and technical. Use examples demonstrating each point.

2. Educate the users about the policy
It is absolutely key that they understand why rules are needed and what it means to them both personally and in their job.

3. Enforce consequences
Users who do not comply to the policy must face consequences.

4. Make it easy to do the right thing
Do not just make a web policy which states that something is forbidden; implement a content filtering gateway, for example, which makes it impossible to do the wrong things.

5. Dictate a hierarchy of access permissions
Grant users access only to what is necessary for the completion of their work.

6. Monitor & improve
Monitor the policy compliance using both security information and event management systems as well as manual spot checks. Don’t be afraid to update your policy, it’s a living document. If users don’t understand, give more examples. If it’s difficult to comply, find new support technologies, they are there to help you.

•Date: 27th Nov 2008• Region: UK •Type: Article •Topic: ISM
Rate this article or make a comment - click here