Only when behaviour changes do businesses realise the benefits of a security-aware culture, finds PWC

Companies are increasingly realising that to tighten up further on information security, they have to change their people’s behaviour, finds a new survey.

This is an early finding of the 2008 Information Security Breaches Survey (ISBS) carried out by a consortium, led by PricewaterhouseCoopers LLP, on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR).

The survey shows that companies are placing greater trust in their staff and they want their staff to use technology to improve their effectiveness. For example, 54% of UK companies now allow staff to access their systems remotely (up from 36% in 2006); every very large business gives remote access to at least some staff. The proportion of businesses restricting Internet access to some staff only has nearly halved (from 42% to 24%), and only 9% give no staff access to the Internet.

At the same time, the survey shows that staff are increasingly targeted by social engineering attacks (where outsiders try to obtain confidential information from employees). In addition, businesses are becoming increasingly concerned about what is being said about them on social networking sites (such as MySpace, Facebook and Bebo), and some staff have posted confidential information on these sites, finds the research.

The survey reported that companies are hardening their technical controls:

• Use of strong (i.e. multi-factor) authentication has nearly doubled since 2006. 14% of small businesses and 53% of large companies now use strong authentication for some of their systems.

• Two-thirds of companies that allow staff to access their systems remotely require additional authentication over that access. Virtual Private Network (VPN) use is almost universal among very large businesses for remote access.

• 81% of large companies block access to inappropriate websites and 86% log and monitor staff access to the Internet.

Increasingly, companies are also focused on setting clear policies, making staff aware of the policies and then monitoring behaviour to ensure that it is in line with those policies. The proportion of companies that have an information security policy has quadrupled over the last eight years. Large businesses remain more likely to have a security policy; seven out of eight do so, and some of the 12% that do not have a security policy per se have an integrated overall set of business policies that include information security.

Some 68% of companies surveyed that give a high or very high priority to security have a security policy (up from 55% in 2006 when the last ISBS was conducted) compared with 64% of those that treat security as low or no priority (up massively from 13% in 2006).

Companies that carry out risk assessment are nearly twice as likely to have a security policy in place as those that do not, according to the research.

Chris Potter, partner, PricewaterhouseCoopers LLP, who led the survey commented: ‘What companies are realising is that increasing security awareness is only part of the answer. The critical issue is changing the behaviour of their people.’

He added: ‘Only when behaviour changes do businesses realise the benefits of a security-aware culture.’

Martin Smith, chairman and founder of The Security Company (International), a company that focuses on promoting long term behavioural change across all levels of organisations, added: ‘Genuine behaviour change is essential, and this takes time and effort.

‘To be truly effective, awareness messages need to be personalised and tailored to the audience – staff need ownership, plus what works well for a bank won’t necessarily come across well on the shop floor.’

The full results of the survey will be launched at Infosecurity Europe in London, 22-24 April