UK firms at risk from the 'enemy within'

Companies are being urged to take steps to raise security awareness

UK companies are increasingly aware of the importance of information security policies, but such policies are being widely ignored by staff, new research claims.

The 2008 Information Security Breaches Survey carried out by PricewaterhouseCoopers warned that tightening information security means changing people's behaviour.

The survey, which was carried out on behalf of the Department for Business, Enterprise & Regulatory Reform, found that seven out of eight large businesses claim to have IT security polices.

The results suggest that companies are placing greater trust in their staff, and want employees to use technology to improve their effectiveness.

For example, 54 per cent of UK companies now allow staff to access their systems remotely (up from 36 per cent in 2006) and every large business gives remote access to at least some staff.

The proportion of businesses restricting internet access to some staff has nearly halved (from 42 per cent to 24 per cent), and only nine per cent give no staff access to the internet.

At the same time, the survey showed that staff are increasingly targeted by social engineering attacks in which outsiders try to obtain confidential information from employees.

Businesses are also becoming increasingly concerned about what is being said about them on social networking sites, and some staff have posted confidential information on these sites.

However, the report warned that technology controls alone are not enough. Key to making sure that staff remain the organisation's greatest asset is to ensure that they behave in a security-conscious way.

Companies are increasingly focused on setting clear policies, making staff aware of the policies and monitoring behaviour to ensure that it is in line with those policies.

Chris Potter, a partner at PricewaterhouseCoopers, said: "Having a security policy alone does not magically improve security awareness among staff. The overwhelming majority of companies take steps to raise awareness.

"The priority given by senior management makes a difference in the extent to which security awareness is drilled into all areas of the organisation.

"Only one in five companies for which security is not a priority at all takes any steps to raise the security awareness of their staff.

"What companies are realising is that increasing security awareness is only part of the answer; the critical issue is changing the behaviour of their people."