Commenting on research recently released, which claims to show that 54 per cent of small businesses and 38 per cent of their larger peers do not have a security awareness programme in place, Cryptzone says this is a common failing in many organisations.
The problem, says Dominic Saunders, Senior Vice President of the NETconsent Business Unit within the European IT threat mitigation specialist, is that many IT security managers perhaps understandably put too much faith in the understanding of technology amongst staff in their organisation.
"This is something that psychologists call 'empathic accuracy' and refers to how accurately one person can infer the thoughts and feelings of another person. It's very common in most business disciplines and simply means that - for example - a member of the financial services team will presume that their colleague in sales fully understands the nuances of basic accountancy, when in fact this usually isn't the case," he said.
"In the case of IT security, empathic accuracy becomes a potentially dangerous presumption that needs supporting technology to help enforce positive levels of security across the entire organisation. And this technology, we have found, comes in the form of good policy management software," he added.
The Cryptzone VP went on to say that NETconsent Compliance Suite provides our clients with a policy management solution that compliments the more traditional IT security technologies to deliver a better overall security solution.
As the PwC/Infosecurity Show research shows, he says, because only 39 per cent of large organisations encrypt their downloaded data, 47 per cent have ended up losing or leaking confidential information held on mobile devices.
With effective security policy management and user awareness programs in place, staff are much more likely to adhere to the rules and therefore breaches become less likely.
As the PwC/Infosecurity Show research notes, he explained, breaches often occur due to ignorance rather than malice, meaning that staff need to better understand security policies in order to put them into practice.
The problem of security policy failures, says Saunders, has been made worse by the arrival of the BYOD (bring-your-own-device) trend in the workplace - and because of this, he recommends that the industry needs to be looking at how its can effectively deliver security policies to those devices.
"I think that is now essential that professionals update their firm's security policies on a more regular basis, as technologies, working practices and what data staff are allowed to access changes so quickly over time," he noted.
Enter the Apple iPad
Two years ago, he says, employees were limited mainly to email - in terms of what they could access using consumer devices, such as the Apple iPad. Today, they can access the intranet, CRM (customer relationship management) systems and all manner of company confidential data all using their tablet computer.
The problem, Saunders adds, is that Cryptzone has observed that security policies in most organisations have not kept pace with actual practice, meaning that the organisation, along with its employees and their data, are being placed at risk. This is quite often simply due to the perceived overhead of communicating the policy out to staff. Automated policy communication tools can facilitate this process, meaning that policies within an organisation can be updated as needed.
"We need to demonstrate the importance of testing people's understanding of policies and about making documents fit for purpose. A lot of documents are, we have also observed, quite lengthy and filled with jargon, making them less than readable. The solution is to write documents that are appropriate to the intended audience," he said.
"Unless security policies form part of a conjoined awareness programme, they are going to be less effective. The ability to split out policies, procedures, forms and e-learning into their own separate entities, whilst also being able to simply navigate between them, is a powerful mechanism to achieve overall policy compliance to meet an organisation's overall IT security strategy," he added.
"Yes, as this report says, many data breaches do occur as a result of ignorance rather than malice, but shiny new devices attract attention from opportunist thieves, and then any data stored on them is in the wrong hands. I think we will see an increase of high profile cases where data is exposed to media or even used in blackmail situations - so implementing security technologies backed up with suitable policy enforcement software is a positive and essential solution to these issues."