The rules don’t apply to me, thinks senior management when it comes to IT security. A survey of 300 IT Security professionals reveals that top level management is likely to ignore IT security policies and procedures, with 42 per cent cited as frequently ignoring them.
Alarmingly, the Board of Directors doesn’t only have the least understanding of security, but also access to the most sensitive information. It’s a worrying statistic in times when regulators are hitting hard on organisations with lax attitudes towards data security.
The survey, conducted by Cryptzone, asked IT professionals in companies of all sizes who in their organisation was least likely to follow policy and procedures. Some 20 per cent answered senior managers, 17 per cent CEO’s and 20 per cent even cited themselves, the IT team. If they don’t respect IT security, who will?
When it comes to security training, 65 per cent of companies offer the same level of IT security training to everyone in the organisation. Dominic Saunders of Cryptzone draws the conclusions from this that ?money is being wasted training people who might not need it, while not providing enough to the most at risk groups.
“Training should be tailored to reflect the level and depth of information people are privileged to, balanced against the risks they?re exposed to,” he says.
Few respondents said their organisation was offering differentiated training. Of those that did, 64 per cent said the training delivered was based on the job function.
Besides planning IT security education more carefully, Cryptzone advised companies to differentiate IT security awareness programs. Employees might easily feel bored with policies and procedures that don’t apply to them, but are more likely to remember and adhere to security rules that are applicable and relate to their job function.