Latest news
Too many companies leave themselves vulnerable to employees’ ignorance or purposeful flouting of the rules when it comes to information security, suggests a survey conducted by (ISC)2. Focused on the ‘basics’ of policy management, the survey revealed that organizations are becoming confident in their ability to comply with the policies and procedures set out to secure their organizations. Analysis of the results, however, reveal education efforts to be immature, with most concerns relating to accountability and company-wide understanding of what is required.
The survey questioned 737 information security professionals last month about their organisation’s efforts in policy and awareness management. A great majority, 80 percent, said their company’s ability to comply with security policy was satisfactory, good or very good, leaving only 20 percent saying they were dissatisfied. However, this confident stance was tempered by concerns from nearly half of the respondents over a lack of training (48 percent) and poor employee understanding of policy (46 percent); a lack of defined accountability (42 percent); and an unsupportive company culture (48 percent).
These obstacles to compliance with policy were cited by significantly more respondents than other issues of traditional concern, including a lack of budget, which only 22 percent were concerned about, and the ability to procure the latest technology, which concerned only 19 percent of respondents.
When asked whether their organizations tracked security policy, the majority of respondents, 63 percent, said yes, and a similar number, 60 percent, identified that there were sanctions for non-compliance, while only two percent felt that those sanctions were understood company-wide. The survey also queried efforts to educate employees about policies and expectations. The bulk of the efforts to educate employees formally were said to be online, with 56 percent of respondents identifying this method, while 35 percent are using an employee newsletter, and 35 percent said expectations were written into employee contracts. Only a quarter reported in-person training programs. A significant number are identifying the need to manage data, with 72 percent reporting they had a data classification policy, which according to Colley, is a first step toward understanding the human challenges ahead.
Results of the survey are to be analysed fully as part of the business education seminar, “Are We Getting the Basics Right”, with John Colley at Infosecurity Europe 2009, 10 a.m. in the Business Strategy Theatre on Thursday, April 30.
Spotlight
The security of WordPress plugins
Posted on 18 June 2013. | Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection.
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
