Security awareness: Helping employees really 'get' company policy

Research finds while most employees believe they understand their company's security policies, a large number have never received any formal policy education or training. How can an organization really ensure people understand risk?

. What's this?

By , Senior Editor

November 30, 2010CSO

Employee awareness of their companies' security policies is high—if you ask the employees. In a survey of 2,000 office workers, software security company Clearswift found almost three quarters, 74 percent, felt 'confident' that they understand their employers' Internet security policies. That is, policy designed to safeguard data and IT security, as well as maintain productivity.

But the confidence is misplaced, Clearswift suggests in their summary of the findings, because a third of those surveyed have not received any training on IT security since joining their firm. And more than two thirds of those who have not had recent training joined their organization more than five years ago—a 'technological lifetime,' notes Clearswift.

"Pretty much every employee can remember a vague discussion about policy at some time in their career—maybe when they joined their current employer or it may be from their previous job," said Andrew Wyatt, Clearswift's COO. "When security is kept in the shadows and not discussed openly, and only referred to when things go wrong, it is all too easy for office 'folk-law' to become perceived as official policy very quickly. If employees are not aware of when they have broken policies—in some cases because the policy is not even enforced—it can lead to a false sense of security or a belief that what they are doing is actually in line with the corporate policy."


Also read Security awareness programs: Now hear this! for more effective awareness strategies


The research raises a question that is frequently discussed, but very rarely measured, among organizations: What kind of awareness training is effective? Is it regular and incremental? Is it most effective when done through courses, formal sessions or informal discussions? And how does an organization gauge its effectiveness?

At health-services provider Cigna Corp., employee awareness training takes place regularly, according to the company's CISO, Craig Shumard. "It's not just a one and done kind of thing," he says.

As an example of how Cigna deals with security and privacy policy, Shumard points to the fairly recent phenomenon of social media use among employees. In the last two years, Cigna has had to add to and revise existing policies in order to respond to the adoption of social media sites for both Cigna's business use, as well as to allow employees to access them for personal reasons while at work.

"The policy that we have around social media is actually in the overall corporate policy around communications and fair disclosure," said Shumard. "So, when we look at policies around external media we see these are issues we have emphasized all along. Before social media, we made it clear when it came to blogs that folks are not supposed to speaking on behalf of Cigna. It is the same policy now with regard to social media sites. Employees can use these tools on a strictly personal basis—and they should not disclose company information that would not be appropriate given manner of what we do."

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER