A new focus for IT security?

Clearswift's regional director, APAC, Phil Vasic talks about Web 2.0

Phil Vasic, regional director, APAC, at software security firm Clearswift explains why the growing pace of change in Web 2.0 technology and its integration into existing IT infrastructures make the requirement for a clear, effective and workable IT security policy more important than ever before.

When Web 2.0 technology was introduced few could have predicted the full extent of its role in changing the way we work and the resulting impact, not only on the security of employee and employer data, but in influencing IT policy.

Just three years ago only one in ten employers allowed staff to engage in social media activity such as Twitter and Facebook. However recent Clearswift research on IT policies, showed that attitudes have changed dramatically, to a point where today nearly three quarters of businesses in the US either actively encourage, or at the very least accept, the use of social media tools in the workplace. While countries like the UK and Germany are not far behind.

The driving force behind this change is the realisation that social media can be used as a business tool that, when used appropriately, can benefit an organisation, and can also contribute to positive staff morale and staff retention. With regard to the latter, our research showed that one in five employees would not accept a job offer if the employer did not allow them to engage in any social media activity during the working day.

So accepting that little more than half a decade since the Web 2.0 phrase was first coined, our working structure has changed to the point business and personal usage can be interchangeable, has IT security and company policies in general evolved to reflect this change?

It is clear that, as technology for sharing information becomes more sophisticated and embedded in our lives, it becomes more important for those with access to data in the workplace to understand what is permitted by the business, and which activities may be putting data security at risk. This is particularly pertinent since, as we have already discussed, employees no longer furtively checking their personal emails, but openly access and engage with sites like Facebook , or tweet during the course of the working day. This has led to a blurring of lines in the responsibility for company information, opinion, and data going in and out of a business.

In addition, there is the issue of a business’s reputation and of ensuring that there are clear guidelines on what may or may not be appropriate to say on a social media site in order to properly safeguard brand reputation. This is particularly important where social and business networking are interchangeable.

But the safeguards are not limited to a static policy document. While the increased acceptance that Web 2.0 and other collaborative technologies has highlighted the need to look more closely at IT policies, regular communication and training to keep staff updated on the ever changing social media landscape are pre-requisites for a truly effective security program.

The best starting point for understanding the effectiveness of existing security programs would seem to be asking the staff themselves and it was therefore office workers to whom we spoke as part of a recent Security Awareness Report published by Clearswift. The study explored the extent to which office workers understand the data security implications of their day-to-day activities and highlights several interesting data security phenomena amongst office workers.

Significantly, the Report highlights that there is a trend for over-confidence in the knowledge staff need to keep information safe. This appears to be the main data protection hazard in today’s office environment. It leads to a casual attitude towards IT and a ‘freestyle’ behaviour where data is blindly moved from place to place without consideration of the potential security risks. Alarmingly, 44% of office workers report storing data at work on personal memory devices, 39% download software to their computer at work and 23% use personal accounts on social networks to comment about their job.

15% of office workers in the survey were concerned that they may be inadvertently breaching security policy, with more than three in five office workers attributing security breaches to ignorance or lack of understanding by employees.

The trend toward ‘freestyling’ is compounded by the fact that there is a perceived lack of consistent communication about security policy, and consequently many office workers do not understand their obligations fully. Despite the fact that the majority of office workers taking part in the research consider themselves to be risk averse, both individually and collectively they are inadvertently leaving their employers exposed to data security risks.

This is demonstrated in part by recent cases in the UK when the Information Commissions Officer (ICO) issued the first fines under its new powers to regulate the Data Protection Act. One Local Government Authority was fined £100,000 ($157,000) when an employee sent sensitive and confidential data to the wrong recipient.

A business’s employees are the held in trust when dealing with sensitive information and sharing of data. Therefore an informal policy, or word of mouth update, is clearly inadequate. There is no room for complacency in this rapidly changing environment. IT security policy should be conveyed through an ongoing and effective training program that is regularly reviewed, and that is reinforced by clear communications to ensure staff are aware of any updates and regularly reminded of the policy.

It is important to give managers and staff clarity over what is and what is not acceptable, the policy should be jointly presented by the IT department and HR department, with additional involvement from the PR/Marketing team. So while the policy should include points such as where and when personal time can be taken on computers, it should also encompass why industry regulations, rival companies, etc should not be criticised on social media blogs and networks, and why it is not appropriate to air internal disputes online. It is important to spell out the potential consequences to a personal, professional or brand reputation so the employee has a very clear understanding of these consequences.

Gaining buy-in is fundamental to the success of any company policy. The starting point of the social media element is a general acceptance that staff should be able to access these tools during their working day, (our research showed that 60% of managers trust employees to act responsibility). In addition the policy should emphasise that the intention is to ensure the safety of the company’s employees and the company’s reputation.

The objective is not to block employees use of social media so the policy needs to be flexible but clearly defined and, as mentioned earlier, clearly communicated with specialist training provided. Above all, if the policy is to be effective, it needs to be enforced and, in the case of an intentional digression, disciplinary action implemented.

This lack of awareness and understanding is backed up by our research that indicated there is confusion about what it is okay to do or say on work related social media sites – nearly two thirds say that they aren’t clear about what is acceptable.

The message is a consistent call for clarity and solid communication. There is a need for formalised IT security policies that work in conjunction with overall company policies, especially HR and Marketing to ensure overall consistency of corporate message.

Putting in place an IT security policy that is clear and flexible, and which is implemented across the organisation is key to security coming out of the shadows and providing the reassurance that the businesses and their employees need to move forward with confidence.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Web 2.0IT Security

More about APACClearswift Asia PacificFacebookICO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Phil Vasic

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place