Tuesday, March 4, 2008

Research Published on the Web Site CSOonline Reveals Huge Breaches in Staff Information Security Practices

Both the Security Management Stages 1 and 2 courses address the issue of information and IT security in detail. As part of a workshop, delegates are asked to benchmark their organisation’s adherence to IT and information security best practice on a scale of 1-10. Unsurprisingly, most, especially those who represent multinational companies, self score at between 8-9.

But if the results of recent research published on CSO online are anything to go by, policies and compliance may be at opposite ends of the spectrum in many organisations. The survey findings are as follows:

1. Copying confidential information onto a USB memory stick: Eighty-seven percent of respondents believe their company’s policy forbids it, yet 51 percent say they do it anyway.

2. Accessing web-based e-mail accounts from a workplace computer: Forty-five percent of those surveyed use webmail at work; 74 percent say there is no stated policy that forbids it.

3. Losing a portable data-bearing device: Thirty-nine percent of respondents say they have lost or misplaced such a device, and 72 percent of them did not report the lost device immediately.

4. Downloading personal software onto a company computer: Sixty percent of respondents say there is no stated policy that forbids downloading personal software, a practice that 45 percent of respondents admit to.

5. Sending workplace documents as an attachment in e-mail: Thirty-three percent of respondents send work documents as attachments, and 48 percent aren’t even sure whether or not that violates policy.

6. Disabling security and firewall settings: Eighty percent of those surveyed don’t know whether disabling security is against policy; 17 percent of respondents do it.

7. Sharing passwords with co-workers: Sixty-seven percent say the company’s policy forbids sharing passwords, but 46 percent of them do it anyway.

The next Security Management Stage 1 Course takes place 31 March – 11 April.

Part of the course is a one day workshop on 7 April, Information and IT Security Management, which is also open to day delegates. This workshop can also be conducted in house to increase staff awareness of IT and information security issues. Contact Janet for details.