New independent research has highlighted that Australian employees take more responsibility for their company’s online security than employees in other countries.
The research, conducted on behalf of web and email security company Clearswift, demonstrated that 38% of respondents had received IT security training at induction and that 36% had discussed internet policy with their co-workers in the last six months, both figures higher than the global average.
The research also showed that 74% of the 2000 respondents felt confident that they understand the data security policies of their respective employers. Companies are being more proactive with respect to policy on data security, with only 1% of respondents reporting that they didn’t have any official guidelines as opposed to 73% that do.
A few of the results from respondents did indicate a difference between perception and reality with respect to IT security policies. A third of those surveyed indicated that the IT security policy training they received was a one-off upon commencing employment at the company and that further training had been non-existent since their induction. This statistic is particularly disconcerting given that over half of respondents had been with their current employer for more than five years, potentially rendering the initial training redundant many times over.
A quarter of respondents indicated that policy communication could be improved, with 62 % citing ignorance or a lack of understanding as a key reason for security breaches, while 20% of respondents complained that security policies were more focused on apportioning blame than protecting data. Curiously, the same number implied that they would ignore policy for the purpose of working more efficiently.
“It’s time for organizations to get to grips with making a policy a living, breathing part of their operations that is relevant to everyday corporate life – not just a tick in the box when it comes to an induction period,” said Phil Vasic, Director, Asia Pacific at Clearswift. “All too often, a policy is simply a document that is referred to only when something goes wrong – almost proof that someone ‘should have known better. There is little or no point in having an IT security policy in place unless staff across the business is fully aware of it and, more importantly, understand the reasons why the rules are in place. Policy, not policing, is the answer to ensure confidence is well placed to tackle the challenges of managing Web 2.0 that organizations face.”