Firms failing to balance security policy, enforcement

Summary:Australian firms are having trouble creating and then enforcing a good security policy, which means employees end up frustrated because their movements are shackled or their actions cause unwanted information leakage.A security policy should adequately reflect the risks and requirements of a particular organisation.

Australian firms are having trouble creating and then enforcing a good security policy, which means employees end up frustrated because their movements are shackled or their actions cause unwanted information leakage.

A security policy should adequately reflect the risks and requirements of a particular organisation. If the policy is too strict it may hinder employee productivity and if it is too weak, it could open the organisation to vulnerabilities and information loss or theft.

In a recent survey of Australian enterprises, 83 percent said they were worried about exposing their customer's records and 72 percent said losing financial data was a serious concern. However, the majority of respondents admitted that they rely on their employees to enforce the security policy.

Samia Rauf, director of worldwide corporate communications for document management specialists Workshare, which commissioned the study, said that one of the biggest mistakes made by enterprises is not finding a suitable balance between creating and enforcing a security policy.

"There is a fine line between governance and productivity," Rauf told ZDNet Australia. "Yes you must have a policy.... However, you have got to be continually educating [users] and if you don't educate them then you are going to start putting controls in place that are so militarian [sic] that it affects the productivity of your workers."

"You can focus on productivity and lose control [of security]," said Rauf.

Jo Stewart-Rattray, director of information security at Vectra Corporation, said she had seen some very well written policies that were effectively useless because so few people in the organisation actually knew they existed.

"It is true that a lot of people don't enforce policies.... You can have the very best policy in the world but unless it is disseminated across the whole organisation it serves little purpose," she said.

Stewart-Rattray cited an example where a company she knows wasted a lot of time creating a "good" security policy: "It was one of the best written policies I have ever seen ... but once I got out of IS and IT, no-one knew about it."

According to Rauf, tools can be used to help enforce a security policy and educate users by issuing alerts when the policy is about to be broken.

"You can block information from being uploaded onto the Internet. A lot of things get stolen over Hotmail and Yahoo -- people send their CVs out all the time. You can block or alert when that is happening.

"It will allow [users] to do the right thing by being alerted when they are about to breach policy. People are then constantly being educated," said Rauf.

However, Vectra's Stewart-Rattray warned companies not to completely rely on automated tools: "There are some things that logical tools can't actually enforce -- and often it still relies on a human audit to see if current practice meets policy."

Topics: Security

About

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.Munir was recognised as Austr... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.