Policies In Place, But Employees Aren't Trained

Sue Marquette Poremba

If your company has a security policy in place, congratulations. You have taken an important first step in protecting the network and enterprise data.


The next step is to make sure employees know the policy, understand the policy and follow the policy. Sounds like a logical next step, but according to new research from Clearswift, half of employees have never been trained on the security policy. Yet, there is a sense of overconfidence that the company is doing something about security and that employees are practicing safe computing. The report stated:

Overconfidence can therefore be seen as the main data protection hazard in today's office environments. Employees are confident that they understand what is safe and what is permitted, which is leading many to take a casual attitude toward IT generally, often "freestyling" and blindly moving data from place to place without consideration of potential security risks. This situation is being compounded by the fact there is a lack of consistent communication about security policy, and consequently many office workers do not understand it fully. Despite the fact that the majority of office workers in this survey consider themselves to be risk-averse, individually and collectively they are inadvertently leaving their employers exposed to data security risks.

Clearswift's suggestion? Enterprise needs to do a better job of conveying the security policies and the need for compliance, and most importantly, make sure employees understand the policy. And this means reaching out to all employees. Often, security policies are introduced at new hire orientations, which means long-time employees may not ever receive any security training and no one is provided with policy updates. Also, the study pointed out, employees are depending on each other for information on the security policy, and that lends itself to misinformation being spread. As the report concluded:

The most forward-thinking organisations will need to close security gaps by acting on two problems at once. Technological solutions can help keep data under control, by automating enforcement and limiting risk. More regular training is needed alongside these solutions however, if employees are to feel confident about acting to protect sensitive data at work.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Nov 12, 2010 12:49 PM Ashley Richards Ashley Richards  says:

Training is a key component to proper security policies and compliance programs.

Employee training and education helps to reinforce security policies as well as promote successful execution of an organization's security protocols and technology.

An integrated approach to information security is important to any organization.  This includes training (both new staff as well as existing team members) and solid internal policies and procedures.  Organizations should also consider investing in IT asset management software to support and supplement IT initiatives and policies.

Ashley, Absolute Software




Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.