Rogue employees continue to be the biggest threat to information security, it is suggested. That’s according to IT people polled at Infosecurity Europe 2014, pictured. The poll by BSI, the business standards company, looked at perceived threats to information security and how businesses are responding. It found that despite taking measures to combat the risks, 37 per cent of businesses still see employees as biggest threat to information security, ranking the insider threat, higher than cyber-attacks (19pc) and bring your own device (BYOD) (15pc).
To reduce the risk to their business, over half (52pc) have implemented an internal information security policy, near-half, 47pc have provided staff training and 63pc are either certified (29pc) or operating in compliance (34pc) with ISO 27001, the international Information Security Management standard. A further 23pc indicated they were looking to certify in the immediate future.
However, confidence in security measures to protect against risks is relatively low with under half (46pc) stating they are confident in the measures their firm has taken. One in ten are not confident at all, yet unsurprisingly in organisations that are certified to ISO 27001 the levels of confidence in security measures rise to 78pc.
Suzanne Fribbins, Risk Management Expert at BSI, said: “It’s no surprise to see insider threats as the biggest risk to information security as employees will always be the one thing that cannot be controlled. Employees don’t necessarily have to be malicious to put a company at risk; they may just not understand the possible risks associated with their actions. Research has shown that effective staff training can halve the number of insider breaches, by ensuring employees understand the importance of information security and their role in protecting businesses critical information.”
Commitment from senior management is essential if an organisation is to manage information security effectively, suggests BSI. Some 73pc of respondents believe senior management is dedicated to information security. But 54pc do not feel the necessary resources are allocated to it, despite this being one of the key ways in which top management can demonstrate its commitment to protecting the confidentiality, integrity and availability of information. ”In order for an information security management system to be effective, adequate resources have to be allocated, and roles and responsibilities for information security need to be clearly defined,” added Fribbins.
She said: “We have found organisations that implement ISO 27001 can better identify threats to their information security and put in place appropriate controls to manage and reduce risks. This was supported by the research findings with 58pc of respondents seeing this as the greatest benefit, followed by the improved ability to meet customer/tender requirements (41pc), achieving consistency of approach (41pc) and improved information security awareness (30pc).”
The poll found that over three quarters (77pc) of organisations are increasingly being asked for ISO 27001 as a customer requirement when bidding for new business. “ISO 27001 is increasingly becoming a ‘ticket to play’ and an investment that delivers true business benefits,” added Fribbins.
To learn more about ISO 27001 – visit www.bsigroup.com/infosec. The research was based on a poll of 79 attendees at Infosecurity Europe 2014.
