Friday, 23 January 2015

The Ongoing Security Awareness Problem:

Quite often I am sent reports, InfoGraphics and articles to post on this blog, many are too sales orientated or too off topic to consider, but the odd one is well worth sharing. So the following post and InfoGraphic has been provided by the UAB Collat School of Business, focusing on, in my view, the most riskiest and yet most neglected areas of Information Security, staff information security awareness. This maybe a little US focused, but the findings and advice mirrors what's seen within UK businesses. I've highlighted some very alarming statistics which shows the management 'god complex' attitude towards information security, and the business data leakage to the cloud.

Employees and General Information Security
Over 80%t of companies say that their biggest security threat is end user carelessness. 75% of companies also believe that employee negligence is their greatest security threat. 3% of all United States full time employees admitted to using the same collection of passwords for their online needs. A third of this percentage even admitted to using less than five different passwords to access anywhere between twenty five to fifty websites, some of which were business and professional locations. Over 33% percent of US companies do not have a security plan for internal security risks, which means personal responsibility is the largest deterrent in a vast majority of these incidents.

Top Mistakes
Many mistakes committed by employees are entirely avoidable. Things such as sharing passwords with others and leaving their computers unattended outside the workplace all contribute to security problems. Employees are strongly encouraged to use different passwords for different websites, and to change them frequently. Additionally, it is important to delete data when it is no longer being used on the computer, as well as avoid connecting personal devices to company networks and databases.

Largest Threats to Information Security
Senior managers are as much a culprit of problematic behaviour as their employees. Over 58% of senior managers have accidentally sent crucial and private company information to the wrong people. 51% percent of all senior managers have also taken private files from the company with them after they left the job. Business owners may end up compromising their own company’s security as well. Over 87% of all business owners regularly upload files from work to a personal cloud or storage network. 63% of  business owners also use the same passwords to log into different systems in both business and personal affairs.

Tips on Promoting Security
There are many solutions that can be taken to help keep the workplace safe. One of the first of these is to implement a strict, written set of security guidelines. Enforcing physical restrictions to personal data is also recommended. Destroying older data in a more timely fashion can also help resolve many security risks. Generally raising security awareness in the workplace by training and educating employees in proper and improper behaviour can be a good idea. All business owners and leaders are strongly encouraged to become more vocal about security in the workplace.

Employees and Specialised Training
Proper information and security training on a professional level can also help reduce the frequency and severity of security breaches. Over 37% of employees had received mobile security training, while over 40% of employees had received information sharing training. Increasing this number can help spread security awareness in the workplace on a much more efficient level, and businesses are encouraged to introduce some type of professional training program.

Current Bring Your Own Device Practices
Fortunately, while there is room for improvement in many companies, management professionals are also looking into ways to help improve Bring Your Own Device standards and practices. Over 40% of companies currently consider mobile device insecurities to be a large security concern. 15% of employees believe that they have minimal, or practically no, responsibility to safeguard the personal data stored on their devices. This type of thinking is what encourages security risks to occur in the first place. As a result, there is going to be an expected increase in security strategies of upwards of 64% for employees concerning the use of their personal devices over the next twelve months.

Information Security Recommendations
Numerous security recommendations are already being considered by many companies and many businesses are planning on introducing more data leakage protection to help control what data mobile employees will be able to send through Bring Your Own Device practices. This can help prevent the transfer of regulated data through unsecured apps. These plans can also help prevent employees from accessing data on unsecured devices, or transferring unsecured data on their own devices. Future demands will also require owned devices to have a password necessary in order to access the stored data. Many training programs are also going to be planned as well, which will inform employees of the necessity of adhering to, and enforcing, data security regulations.


2 comments:

Mykael Ray said...

Hi Dave,

I had a quick question for you about this infographic, and you don't seem to have an email listed on your website. Could you get back to me when you have a minute?

Dave Whitelegg said...

Hi - dw at itsecurityexpert.co.uk The InfoGraphic is authored by http://www.uab.edu/business/