Interviews

Breach research

by Mark Rowe

Despite British small and medium sized enterprises (SMEs) providing training in IT and security, employees fail to prevent breaches and data leaks. The study commissioned by IT security product firm McAfee suggested that even those with training in specific areas of technology failed to keep their data secure – 58 per cent of those whose email was hacked had received training specifically around email security. Almost a quarter of employees admitted they were not concerned at all about attacks and breaches.

According to the study, 68pc of SMEs are making a concerted effort to educate employees about security risks and threats and over two thirds of companies provide training in this area. However, for these initiatives to be successful, employees need to be involved and engaged.

Raj Samani, CTO, McAfee EMEA at McAfee, said: “Employees play critical roles in protecting customer records, intellectual property and critical business data.

“Investments in hardware or software are in vain if employees don’t follow the rules. If there are any rules or guidelines, that is to say.”

Enemy within

Some 80 percent of British SME employees agree that digital data is a central business asset for their company. Half regularly handle client contact data, almost half touch invoice data and 42 percent interact with confidential client data. The survey findings reveal that almost a third of employees identify the biggest threat to these digital assets as their colleagues. In fact, 11 percent have experienced security incidents due to colleagues, while 5 percent admit to having caused a breach themselves.

The security risk through employees is increased further as the growing Bring Your Own Device (BYOD) trend means that a fifth of SME employees are now using their own personal devices to handle corporate email and access business data. “BYOD and BYOS create security vulnerabilities SMEs need to understand and deal with today”, said Samani. “Private usage of devices or services not only opens backdoors to a businesses’ security infrastructure, it also creates an environment where companies cannot control how their data is being accessed, stored or shared.”

Joint effort

The research highlights that even though security training is provided at two thirds of companies these efforts appear to have little effect on reducing breaches. Even those with training in specific areas fail to keep their data secure: 53pc of those whose password was hacked had received password security training and 58pc of those whose email was hacked had received email security training. In addition, 30% of those who had email security training, 35pc of those who had mobile training and 20pc of those who had cloud security training admitted to leaking data.

“The study reveals a disconnect between SMEs’ efforts to make security part of their employees’ mindset and employees recognising it as part of their responsibility,” said Samani. “For employees to say cyber security is not their concern is not acceptable. Cyber security is a shared responsibility: Owners, managers, IT professionals, employees and security providers alike must work together to stop cybercrime. More than a third of global targeted attacks are now aimed against small businesses, so SMEs clearly need to do more to educate employees to make them understand the responsibility carried by each individual. SMEs have to include their employees as an integral part of their security strategy and provide easy-to-manage security that will protect all devices, both remote and in the office.”

Survey

McAfee asked 1.000 UK Employees (non IT specialists, non Directors) in SMEs with 25-100 staff in April/May 2013 with regards to the importance of data, security awareness, security incidents, security education in their companies as well as their needs and wishes with regards to IT security education. Management and IT staff were excluded from participation in the survey.

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing