Socitm benchmarking figures suggest the problem may be widespread. The following statistics, based on the 88 public sector organisations benchmarked in 2006, speak volumes:
- 92 percent have a formal security policy in place (ergo 8 percent do not)
- 86 percent have a security policy agreed by the management team
- 76 percent have a security policy based on BS7799/ISO27001 (one wonders what the other 24 percent base theirs on, but perhaps it’s best not to ask…)
- 68 percent have a formal security policy in place that is based on BS7799 / ISO27001 and agreed by the management team (and the other 32 percent?)
- 85 percent have a code of conduct for all employees, listing roles and responsibilities. However, as we’ve seen, the existence of such a code and employees actually putting it into practice are two very different things.
- 40 percent provide all new employees with training in security as part of induction and a further 17% provide between 2.5 percent and 99 percent of all new employees with training in security as part of induction. However, 43 percent do not provide training in security as part of induction (and probably not thereafter, I suspect).
All these statistics relate to policies and procedures. However, as we have seen, the real issue is behaviour. If you’re going to change behaviour across the organisation and permanently, then the classic knee-jerk management reaction – just send everyone on a training course – simply doesn’t work.
Ensuring information security is part of every employee and contractor’s awareness and working practices requires initial training, refresher courses, regular compliance checks and auditing, and constant reinforcement of the key messages.
Incidentally, in many organisations a significant proportion of staff are temps of one sort or another (some prefer to be called ‘consultants’…). Temps often hang around for years, but rarely get sent on training courses. Yet they may be handling as much sensitive data as full-time employees.