Security company Citrix and Ponemon Institute have published a series of reports that reveal “global IT security trends and reasons why security practices and policies need to evolve to deal with threats”.
According to the study, as cyber threats and security risks faced by companies are changing, so is the workplace, and in particular human factor risks. Employees are often unaware of the changing threat landscape, and their unsecure behaviour increases security risks. Companies are mainly concerned about:
- Employee complacency about security (74% of respondents)
- Lack of employee awareness of security practices (72%)
- Inability to enforce employees’ compliance with policies (62%)
Although companies have security processes and policies in place to reduce cyber security risks, many employees don’t follow them – 59% of respondents said that employees bypass the company’s security policies because they consider them too complex and 42% said that employees think their organisation’s security policies hinder their productivity.
Processes and technologies are not enough
A cohesive approach to cyber security considers people, processes and technology. Often left out of the equation, people are the glue that keeps the security strategy together: technology cannot be deployed, nor can processes be followed without people. At the same time, people have to be made aware of the technology and processes to make the best of them.
As the study highlighted, “the need for a unified view of users across the enterprise is a possible solution to improve the overall security posture and reduce risk”. How can companies adopt this unified view? Through staff awareness training programmes. Based on a combination of e-learning courses, training aids and reading materials, a staff awareness programme will help staff understand:
- The consequences of poor information security and cyber security
- The cyber risks they can face in their daily job
- The procedures to follow to minimise such risks
- The corporate compliance requirements for security regulations and frameworks, such as the GDPR, the PCI DSS and ISO 27001.