Company Memorandum: Watch Your Behaviour!

Apparently employee behaviour is key to improving a company’s information security.

A little birdie - who did a survey - told me that UK companies have become increasingly aware of the need to have information security policies in place, with seven out of eight large businesses now claiming to have one. However, the high priority given to information security by companies does not necessarily translate into improved security awareness among employees. Increasingly, companies are realising that to tighten up further on information security, they have to change their people’s behaviour.

I asked if this requires neural implants - you know, those technological devices that connect directly to a biological subject’s brain - but it seems a little talking to is all that is needed. Darn!

Companies are said to be placing greater trust in their staff and they want their staff to use technology to improve their effectiveness. For example, more than half of the UK companies questioned now allow staff to access their systems remotely (up from 36% in 2006), and even very large businesses give remote access to at least some privileged staff. The proportion of businesses restricting Internet access to some staff only has nearly halved (from 42% to 24%), and only 9% who operate in the public sector the Dark Ages give no staff access to the Internet.

At the same time, staff are increasingly 'targeted' by social engineering attacks (where outsiders try to obtain confidential information from employees). In addition, businesses are becoming increasingly concerned about what is being said about them on social networking sites (such as MySpace, Facebook and Bebo), especially as disgruntled staff are increasingly posting confidential information on these sites to get one back on their employees.

Against this background, companies can harden their technical controls by use of strong (i.e. multi-factor) authentication for some of their systems, as well as allowing staff to access their systems remotely using additional authentication. Virtual Private Network (VPN) should be universal, and you should definitely block access to inappropriate Web sites. Heavy-handed IT staff who trust absolutely no-one should also log and monitor staff access to the Internet.

However, technology controls alone are not enough. Apparently, key to making sure that staff remain your company’s greatest asset is to ensure they behave in a security-conscious way. Is this where neural implants come in? No! I was told again. Increasingly, it seems companies are focused on setting clear policies, making staff aware of the policies and then monitoring behaviour to ensure that it is in line with those policies. Sounds pretty fair to me.

Unfortunately there is little correlation between how clearly senior management understands security issues and whether a security policy is in place. The biggest correlation is between security policy and risk assessment; companies that carry out risk assessment are nearly twice as likely to have a security policy in place as those that do not.

Remember kids. Having a security policy alone does not magically improve security awareness among staff - you should take steps to raise awareness. The priority given by senior management makes a difference in the extent to which security awareness is drilled into all areas of the organisation. Why not use a combination of computer-based training and face-to-face presentations to get security messages across? But these methods are somewhat transient - much more collaborative and longer-lasting programmes are needed. Genuine behaviour change is essential, and this takes time and effort. If that doesn’t work, there’s always neural implants ...