2008-12-01

Human error is the No 1 IT security issue for UK IT directors

No matter how many policies and training schemes you put into operation, basic human error still poses the most likely threat to your company’s IT security according to IT directors.

This was the worrying conclusion of research commissioned by network security vendor Clavister and conducted by leading international researchers YouGov.

86% of all IT directors polled believed that the most likely cause of an IT security issue came from their own employees. The reasons for this were down to staff ignoring, not being made aware of or not being sufficiently trained on security policies, as well as making mistakes or committing industrial espionage.

And the story appears to be similar regardless of where the company is based and how big it is. Despite security policies and training being implemented, security problems continue to happen due to the human temperament.

Released today, the findings show that 31 per cent of IT directors surveyed believe the most likely cause of IT security issues is staff consciously ignoring security policies; 37 per cent put it down to human error, 13% was due to insufficient training and awareness of policies, and a further five per cent to industrial espionage.

Following the survey, Clavister has called into question current IT security products and policies and asks what companies can do to address flaws that are integral to us all as human beings.

“The purpose of a security policy is rather simple - to keep malicious users out of a network while monitoring potential risky users within an organization. To ensure compliance, however, is no simple task. Security policy documents tend to be very long and technical, and not written in a way which has meaning or importance for the average employee” says Andreas Åsander, VP Product Management, Clavister.

“For security rules to be adopted, users need to understand why they are important, and what the rules mean to them personally and professionally.”
Rather than write this off as an issue too broad to address, Clavister has developed a set of six recommendations for companies to consider. These include:

1. Design the policy so that it’s easy to read and understand
Do not make it too complicated and technical. Use examples demonstrating each point.

2. Educate the users about the policy
It is absolutely key that they understand why rules are needed and what it means to them both personally and in their job.

3. Enforce consequences
Users who do not comply to the policy must face consequences.

4. Make it easy to do the right thing
Do not just make a web policy which states that something is forbidden; implement a content filtering gateway, for example, which makes it impossible to do the wrong things.

5. Dictate a hierarchy of access permissions
Grant users access only to what is necessary for the completion of their work.

6. Monitor & improve
Monitor the policy compliance using both security information and event management systems as well as manual spot checks. Don’t be afraid to update your policy, it’s a living document. If users don’t understand, give more examples. If it’s difficult to comply, find new support technologies, they are there to help you.

* All figures, unless otherwise stated, are from YouGov Plc. Total sample size was 212 private sector IT or Telecoms Directors and Senior Managers. Fieldwork was undertaken between 22nd - 29th September 2008. The survey was carried out online.

Information about the company: Clavister AB