Untrained users highlighted as security risks

Untrained users highlighted as security risks


Users given greater IT freedoms, but not security training

Businesses are giving users greater freedom with corporate IT systems, according to a recent report, but many of those users lack the necessary security training.

The study, conducted by a consortium, led by PricewaterhouseCoopers, on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR), found that firms are placing greater trust in their staff.

Seven out of eight firms now have information security policies in place according to newly released findings from the annual Information Security Breaches Survey (ISBS). Those policies are loosening controls over users.

Fifty four percent said they allow staff to remotely access systems – a rise of 19 per cent from last year's study – while the number of businesses restricting internet access to some staff only has nearly halved from 42 per cent to 24 per cent.

Training staff in security basics is an essential part of any information security strategy, argued Martin Smith, chief executive of The Security Company. "The industry is dominated by technology and technologists … but I've never seen a computer commit a crime, it's always people," he argued.

Smith added that long term behavioural change programmes are the best way to mitigate risk in this area, but most firms are unable to find budget to support such initiatives because "they're hard work and fairly intense"

The importance of security awareness was also highlighted in new figures from security certifications organisation ISC2. The 2008 ISC2 Global Information Workforce Study, set for full release in April, asked 6,523 certified professionals about the importance of certain skills. It found that 90 per cent said a good understanding of security and communication skills are the most important.