Sixty-eight percent of employees admit to bypassing their employers information security controls in order to do their jobs, according to new research from IT Governance Ltd.
This finding suggests that, even in some of the most sophisticated and security-conscious organisations, managers are failing to understand the correct balance between the confidentiality and availability of information. By implementing the wrong policies and procedures, they are potentially putting their organisations at risk and may be undermining the legitimacy of information security in employees eyes.
IT Governance Limited is the one-stop-shop for books, tools, training and consultancy on Governance, Risk and Compliance. In February 2008, it polled 130 technology and compliance professionals on issues concerning the UK Data Protection Act (DPA). The respondents included some of the best informed professionals in this area, as evidenced by the high proportion of organisations with independently certified data security measures. The full findings of this survey will be published next month in Data Breaches: Trends, Costs and Best Practices, the first of IT Governances new series of Best Practice Reports.
The research found that most organisations appeared aware of their responsibilities under the DPA, with over 80 percent having a data controller or someone responsible for maintaining privacy. Eighty-two percent of organisations had clear policies and procedures for protecting personal data, including documented procedures (68 percent of organisations), formal procedures (57 percent) and informal procedures (24 percent). Twenty-one percent had policies and procedures certified to best practice standards, such as ISO27001, indicating that respondents represented organisations that are particularly well managed in the field of information security. Nevertheless, the high incidence of employees deliberately circumventing policies and procedures indicates that many of the measures introduced by management are unduly obstructive, either in design or implementation.
Organisations also differ in the comprehensiveness of their data security regimes. While 89 percent cover access to personal data, only 56 percent govern detecting and reporting data losses, while just 39 percent extend to correcting data loss incidents.
The need for DPA compliance is clear, with 96 percent of the organisations represented holding personal information about customers, patients or other individuals. Of these, 56 percent hold payment card or other financial information; 39 percent hold sensitive personal information, such as ethnicity, religion or political affiliation; and 36 percent hold medical information. However, only 55 percent of employees handling personal data have been trained in their legal responsibilities in respect of this information.
Alan Calder, Chief Executive of IT Governance, said, Under the Data Protection Act, it is a legal requirement for organisations to safeguard personal information, but this can only be achieved with the support of employees. By imposing ill-considered procedures, many organisations leave people little option but to break the rules if they are to do their jobs. This not only leaves businesses vulnerable to data breaches and fines, but also does lasting damage to the way employees regard infosecurity. If more organisations followed best practice standards like ISO27001, they would be doing a service to their customers, employees and themselves by making data security workable and readily adopted.
IT Governance Ltd is the one-stop shop for books, tools, training and consultancy for Governance, Risk Management and Compliance. It is a leading authority on data security and IT governance for business and the public sector. IT Governance is non-geek, approaching IT issues from a non-technology background and talking to management in its own language. Its customer base spans Europe, the Americas, the Middle East and Asia.
Alan Calder is an international authority on information security management. He led the worlds first successful implementation of BS7799, the information security management standard upon which ISO27001 is based, and wrote the definitive compliance guide for this standard, IT Governance: A Managers Guide to Data Security and BS7799/ISO17799. The 3rd edition of this book is the basis for the UK Open Universitys postgraduate course on Information Security. He is a consultant to companies including Cisco.