Careless staff beats theft and malware as biggest CISO fear

News by Tim Ring

Careless employees are the biggest security concern for IT professionals, research shows, prompting calls for CISOs to step up staff education and the use of technology.

Sixty per cent of 110 IT professionals surveyed by service provider SecureData view employee carelessness as the biggest risk to their organisation's security - well above “the usual suspects” like data theft (13 percent), external malware (10 percent) and technology failure (7 percent).

Operations teams are seen as the biggest risk (40 percent), followed by finance staff (13 percent), while cloud security – often raised as a potential issue – was not once cited as  a primary security concern.

However, while the survey easily identified the main issues at hand, it found that agreement on how to tackle the problem in less certain. While 40 percent of respondents felt educating employees was the most important step to improving security, 25 percent said that implementing a clear security management policy was their weakest area.

SecureData CEO Etienne Greeff said the answer is for CISOs to educate staff to follow simple security policies. He told

“Security professionals shouldn't be getting sidetracked by new technologies; their focus should be on producing a simple and straightforward security policy that's easy for employees across the organisation to understand. Once a policy is in place, it is then the responsibility of the C-level to ensure this security message is hammered home internally.”

Amar Singh, chair of the UK Security Advisory Group at global user group ISACA, said the Government's newly launched ‘Cyber Streetwise' scheme could help in achieving this, as it offers practical security advice aimed at consumers and SMEs.

“Education and awareness are long-term initiatives that involve changing long-held beliefs (‘I don't need a secure password') and behaviour (‘do I really need to lock my PC when I got to the bathroom?), Singh told

“Consequently, organisations need to complement their short-term, training-based approach with a longer-term, regular and consistent awareness and education programme on information security.”

Independent security expert Bob Tarzey, director of research firm Quocirca, agreed that firms need to focus on staff education - but backed up by technology and tough penalties if employees ignore what they've been taught.

“You need to make your employees more aware through education – but it's also putting in place policies that they realise the penalty for breaking them,” he said, when speaking to “So for instance, if you do something really stupid through carelessness which is against the policy that you're supposed to know thoroughly, then there can be a disciplinary procedure.

“It's having policy, making people aware of the policy, how to take care of data and being clear that there can be sanctions for being casual about policy - but also don't leave it all to the employees, put technology in place to help them.”

SecureData's Greeff said that one encouraging finding from the research is that a holistic approach is becoming more central to security strategies.

“Assessing risk, detecting threats earlier, protecting valuable assets and ensuring a quicker response to breaches will result in more robust IT security and our research show that security professionals are beginning to recognise the importance of this.

“In order to address security threats in a manageable way, companies need to start thinking less about these new technologies and point solutions, and more about risk and real-time security intelligence.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews