Businesses are being urged to clamp down on staff who are flouting security rules, after a survey found that too many companies are vulnerable to ignorant or careless behaviour from their workforce.
The survey was conducted last month by (ISC)2 , an association that aims to educate and certify security professionals, as well as Infosecurity Europe 2009. The study questioned 737 security professionals about their organisation's efforts in policy and awareness management.
It found that businesses are becoming "confident in their ability to comply with the policies and procedures set out to secure their organisations." But it also revealed that staff education efforts are "immature, with most concerns relating to accountability and company-wide understanding of what is required".
On the positive side, the majority of respondents (80%), said their company's ability to comply with security policy was satisfactory, good or very good. Only 20% said they were dissatisfied.
But nearly half of the respondents had concerns over a lack of training (48%) and poor employee understanding of policy (46%). Concern was also flagged over a lack of defined accountability (42%) and an unsupportive company culture (48%).
What is notable is that these hurdles took precedence over the more traditional complaints such as a lack of budget (22%) and the ability to procure the latest technology (19%).
"A fifth of information security professionals are dissatisfied with their companies ability to comply with security policy, and this is where people can be your greatest asset or liability," said Tamar Beck, group event director, Infosecurity Europe in a statement.
"Improving information security awareness and changing behaviour is essential in the new collaborative working environment."
Beck feels that people, process, technology are the foundation of information security, but it starts with educating people.
The survey also found that the majority of organisations (63%) do have the ability to monitor their security policy. Sixty percent also said there were penalties or sanctions in place to deal with those not compiling with security policies, but only 2% felt that those sanctions were understood company-wide.
Fifty-six percent of companies said they educate their staff about policies and expectations via online methods, while 35% use an employee newsletter, and 35% said expectations were written into staff contracts.
Only a quarter reported that they had "in-person training programmes".