Policies In Place, But Employees Aren't Trained

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

If your company has a security policy in place, congratulations. You have taken an important first step in protecting the network and enterprise data.


The next step is to make sure employees know the policy, understand the policy and follow the policy. Sounds like a logical next step, but according to new research from Clearswift, half of employees have never been trained on the security policy. Yet, there is a sense of overconfidence that the company is doing something about security and that employees are practicing safe computing. The report stated:

Overconfidence can therefore be seen as the main data protection hazard in today's office environments. Employees are confident that they understand what is safe and what is permitted, which is leading many to take a casual attitude toward IT generally, often "freestyling" and blindly moving data from place to place without consideration of potential security risks. This situation is being compounded by the fact there is a lack of consistent communication about security policy, and consequently many office workers do not understand it fully. Despite the fact that the majority of office workers in this survey consider themselves to be risk-averse, individually and collectively they are inadvertently leaving their employers exposed to data security risks.

Clearswift's suggestion? Enterprise needs to do a better job of conveying the security policies and the need for compliance, and most importantly, make sure employees understand the policy. And this means reaching out to all employees. Often, security policies are introduced at new hire orientations, which means long-time employees may not ever receive any security training and no one is provided with policy updates. Also, the study pointed out, employees are depending on each other for information on the security policy, and that lends itself to misinformation being spread. As the report concluded:

The most forward-thinking organisations will need to close security gaps by acting on two problems at once. Technological solutions can help keep data under control, by automating enforcement and limiting risk. More regular training is needed alongside these solutions however, if employees are to feel confident about acting to protect sensitive data at work.