Many companies take a lot of time to craft and distribute security policies – at least they think they do. But according to an international survey funded by Cisco Systems, a large number of employees literally aren’t getting the message.
There’s a huge gap between the IT professionals in 10 countries surveyed who say their firm has a security policy and the staff who say their firm has one, the survey shows. It averaged 20 per cent in almost every country.
In Brazil, for example, an admirable 80 per cent of IT pros said their company has a security policy, but only 49 per cent of non-IT staff said there was such a policy where they work. In the U.S., the 76 per cent of IT workers said they have a security policy, but 45 per cent of regular staff said they don’t know of one.
“That’s a tremendous opportunity for security awareness and education to close that gap,” said Christopher Burgess, Cisco’s senior security advisor.
Last week the first part of the survey done earlier this year was released, which questioned 1,000 employees and 1,000 IT professionals in 10 countries – the U.S, Britain, France, Germany, Italy, Japan, China, Brazil, India and Australia – to find out why and see if there are cultural differences in how people practice security.
The survey suggests not only do employers need to contact their staff more about security, Burgess said, they also need to do it in more ways than one.
For example, 44 per cent of IT managers and 34 per cent of general staff say their company sends out security reminders only a few times a year. Another 30 per cent in both groups said their firm does it only once a year. Significantly, Burgess added, employers in some countries emphasize security training only by e-mail and in company meetings. E-mail isn’t good enough, he said.
“If you allow individuals to be the arbiter of whether or not they’re going to read something depending on the press of their business that day, they may or may not” read it. Similarly, security policy messages may get lost in staff meetings, particularly during orientation sessions, where new staffers may also have their minds on signing benefits forms and other tasks.
Few believe that the Chinese can teach North Americans much about computing, but pointing to the many ways survey respondents say employers there communicate security policies makes Burgess think the Middle Kingdom can offer some lessons. Chinese organizations roughly use e-mail, staff meetings and newcomer orientations to let employees know about security policies.
But a high number (32 per cent, highest among countries surveyed) also embed security messages in PC boot-up routines. Burgess urges companies to also use communication vehicles such as employee magazines, Web portals and white papers. “If all you do it is at employee orientation, it will be forgotten very quickly,” he said. “Something not practiced isn’t retained.”
He also suggests organizations have a core security message that heads of individual business units can craft into their messages to departments. Managers talk to engineers differently than accountants or HR personnel, he said, even more so if you have offices in a number of countries.
Finally, Burgess believes the survey results show how important it is for IT managers to work closely with business unit managers to craft security policies that relate to employees’ work. A number of respondents said they turn off security features such as anti-virus monitoring when it interferes with certain functions needed for their work, like downloading needed large files.
“If you are locking down the business unit’s ability to work, you’re actually hindering the company, not helping it.”