There’s a saying ‘do as I say, not as I do’ which seems to resonate in the executive corridor of far too many organisations. A survey of 300 IT security professionals proves just that as it revealed that board directors are most likely to ignore or flout security policies and procedures, with 42% cited as frequently ignoring them. The survey also revealed that rather than setting an example, over half of respondents were convinced that senior management believe that "the rules don't apply to them" when it comes to respecting IT security policies and procedures.
However, there’s also a phrase ‘united we stand, divided we fall’ and that’s what each person who doesn’t toe the security line is potentially exposing their company to.
Alarmingly, 52% of those surveyed agreed with the statement that the board directors have access to the most sensitive information yet have the least understanding of security. A worrying statistic when data loss has become a daily news headline and the regulators are hitting hard on organisations with lax attitudes towards data security.
“This is a tough problem. Seeing wanton disregard at a senior level for the policies and procedures put in place to protect an organisation is infuriating, and a real challenge for the CISO who must balance the needs of a business with the requirement to protect assets.” said Nigel Stanley, Practice Leader for Security at Bloor Research.
He added, “I consider the starting point for all security measures to be a governance statement signed by the board, at least with this you have some comeback if senior managers and directors aren’t playing ball.”
Education is important so that every single person knows what they should be doing and why they’re doing it. However, with 65% of companies offering the same level of training to all employees, the reality of this practice is money is being wasted. Training people who might not need it, while not providing enough to the most at risk groups will leave staff not educated enough in the risks they can pose to the company. Instead training should be tailored to reflect the level and depth of information people are privilege to, balanced against the risks they’re exposed to. On top of that organisations need to get savvy and introduce solutions that don’t allow anyone, regardless of how far up the corporate tree they sit, to flout policies and procedures.
Organisations need to take an enterprise approach to IT security awareness programs and take the following steps:
Introduce policies and procedures that keep the organisation safe
Write them clearly so everyone can understand them
Think carefully when signing off policies and procedures about whether the measures outlined are workable in daily practice. People will always find ways around rules that prevent them from doing their jobs effectively.
Improve IT security education, so that every single person not only knows what they should be doing, but also why they’re doing it and the consequences of not following company policies.
Differentiate IT security awareness programs, so people don't get bogged down with policies and procedures that don't apply to them. People are far more likely to remember and adhere to security rules that are applicable and relate to their job function.
Regularly update policies and make sure everyone knows when this has happened.
Important security practices and technologies should be enforced without the option to be overridden.
Disciplinary action should be applied consistently across the organisation when an infringement occurs.