Monday, 29 September 2008

The Mark One Human Being

Recent security breaches:

  • Nationwide fined £980,000 for stolen laptop.
  • HMRC lost two CDs of child support data
  • Bank customer data sold on eBay
  • Secret terror file left on train
  • Royal Navy laptop stolen with 600,000 people's details…

66% of companies increased IT security spending in 2007, but still these events continue.

40% provide ongoing security awareness training to staff—i.e. 60% do not.

If we don't teach people what they need to know about security, we will not be able to make the university's data more secure. We need to make security education and awareness a key part of our information security strategy. It is not enough to tell people that security is their responsibility. Consider how we market information security awareness to ensure that the message gets across.

Once the communication is out, measure whether there is a change in behaviour. Policy compliance, and survey results are used to inform the following year's approach.

If we put the technology in place, but do not market and communicate the programme, so that individuals understand and fulfil their responsibilities, the investments wwe make will be worthless and security breaches will happen—meanwhile our support for investment in security will wane.

No comments: