Firms failing to balance security policy, enforcement
Australian firms are having trouble creating and then enforcing a good security policy, which means employees end up frustrated because their movements are shackled or their actions cause unwanted information leakage.
A security policy should adequately reflect the risks and requirements of a particular organisation. If the policy is too strict it may hinder employee productivity and if it is too weak, it could open the organisation to vulnerabilities and information loss or theft.
In a recent survey of Australian enterprises, 83 percent said they were worried about exposing their customer's records and 72 percent said losing financial data was a serious concern. However, the majority of respondents admitted that they rely on their employees to enforce the security policy.
Samia Rauf, director of worldwide corporate communications for document management specialists Workshare, which commissioned the study, said that one of the biggest mistakes made by enterprises is not finding a suitable balance between creating and enforcing a security policy.
"There is a fine line between governance and productivity," Rauf told ZDNet Australia. "Yes you must have a policy.... However, you have got to be continually educating [users] and if you don't educate them then you are going to start putting controls in place that are so militarian [sic] that it affects the productivity of your workers."
"You can focus on productivity and lose control [of security]," said Rauf.
Jo Stewart-Rattray, director of information security at Vectra Corporation, said she had seen some very well written policies that were effectively useless because so few people in the organisation actually knew they existed.
"It is true that a lot of people don't enforce policies.... You can have the very best policy in the world but unless it is disseminated across the whole organisation it serves little purpose," she said.
Stewart-Rattray cited an example where a company she knows wasted a lot of time creating a "good" security policy: "It was one of the best written policies I have ever seen ... but once I got out of IS and IT, no-one knew about it."
According to Rauf, tools can be used to help enforce a security policy and educate users by issuing alerts when the policy is about to be broken.
"You can block information from being uploaded onto the Internet. A lot of things get stolen over Hotmail and Yahoo -- people send their CVs out all the time. You can block or alert when that is happening.
"It will allow [users] to do the right thing by being alerted when they are about to breach policy. People are then constantly being educated," said Rauf.
However, Vectra's Stewart-Rattray warned companies not to completely rely on automated tools: "There are some things that logical tools can't actually enforce -- and often it still relies on a human audit to see if current practice meets policy."