Home : Security : News

Infosec 08: Breaches caused by employees breaking trust

Businesses need to look at the employee rather than policy, according to a government sponsored survey.

By Asavin Wattanajantra, 22 Apr 2008 at 14:09

UK businesses are finally starting to implement sensible security policies, but major work needs to be done on employee and management awareness, according to the Information Security Breaches Survey, released at Infosec 2008 by the Department for Business, Enterprise & Regulatory Reform.

Figures showed that the vast majority of businesses (79 per cent) thought that they had a clear understanding of the problems that they faced.

However, doubts were raised about whether they fully comprehended the scale of the problems that they were facing, with only 55 per cent reporting they have a security policy and 56 per cent having any procedure in place to log and respond to incidents.

"There is a great chunk of cynicism in me. I'm delighted by that figure (of 79 per cent of businesses understanding the problem), but I'm wondering, having asked that question, whether management really understands the severity of the situation," said Martin Smith, chief executive of training security provider The Security Company, commenting at Infosec on the findings.

"It's one thing to say that you understand the risks of smoking, it's quite another thing to give it up," he added as an analogy.

Smith claimed that the difficulty now in security was that although security awareness was there, trust was now being given to staff in the forms of remote access, remote working, internet access and instant messenger access.

"It's all good stuff for businesses, but of course this increases the profile of the risk enormously," said Smith. "It also indicates that any breaches from now on are not of security, but of trust," said Smith.

"There is a world of difference between breaching security, where you have countermeasures in place, and breaching the trust that management are placing in their staff," he added.

Smith said this was shown by the fact that many of the incidents that happened at the end of last year were to do with data loss where security failures were due to simple mistakes, usually involving employees.

"Simple, simple mistakes resulting in breaches of security which many of the simple techniques that we use can't possibly hope to defend against," Smith said.

"But you can see they are increasing all the time, and that is apparent in the headlines, and is becoming apparent to business managers all the time."

The chief executive said that although many businesses had got the technical controls sorted out, now they needed to address the human element and raise awareness.

For more Infosec 2008 coverage, see IT PRO's roundup page here.

Email to a friend

Print this page

Social Bookmark this article: What is this?

Be the first to comment on this article

You need to Login or Register to comment.

Latest Security Features

IT around the world: Russia

In the first of an on-going series examining IT markets around the globe, we look at whether investing in Russia is worth the risk – and how to go about it the right way.

More Security Features

Latest Security Reviews

AVG Internet Security SBS Edition 8.0

Rating:

It's feature packed and good value but is that enough for AVG's latest business package?

More Security Reviews

Latest News Videos in Security

Video: Q&A with Richard Archdeacon, Symantec

Play

IT PRO speaks to Richard Archdeacon, director, global services, at the information security software vendor Symantec.

Blogs

CPU vs GPU, mythbusted or mythdirected?

Want more background on today's hottest IT trends?

Visit IT PRO's white paper library for more on virtualisation, encryption and other topics.

Register for IT PRO

You'll get exclusive member benefits including free white papers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.