Employee Security Practices
Information system (IS) security is challenging for organizations of all sizes. A study by Sadok, et al. took a closer look at the disconnect between corporate IS security policies and actual security practices in small-to-medium-sized enterprises (SMEs)1. Many organizations of this size are reliant on information technologies and networked systems to support their business operations and decision-making processes. That reliance could make them particularly vulnerable to IS security threats, due to their limited technology staff, resources, and knowledge. This study found that corporate policies that highlight information security are often disconnected from the actual work practices and routines of employees, often do not receive high priority in everyday work practices, and employees in the study were not often involved in risk assessment or the development of security practices.
Awareness of security policy. Forty-eight percent of the interviewees in the study were not aware of existing security controls, a quarter did not know or apply a formal security policy, 26% reported that any existing security policy was informal, and 38% reported that a formal security policy had been established or was being developed. These findings illustrate a difference between awareness of security policies and the possible existence of security policies.
Information security practices and management. A significant number of interviewees recommended that a clearly identified individual should be responsible for information and cybersecurity, that a permanent incident security response team was needed, and that they thought it was necessary to clarify responsibility for data ownership and protection within their companies. These findings demonstrate a need for SMEs to improve their reporting, identification, and response regarding security risks.
Information security involvement. More than 80% of the interviewees do not participate in developing specific security requirements as a part of their jobs. They note that security controls are imposed top-down. While all of the interviewees confirmed that they handle sensitive data in their jobs, 53% asserted that their job does not require careful attention to data security. Sixty percent stated that information security is not prioritized when doing their jobs, and 52% said that they did not get any training or advice in good IS practices. These findings indicate serious deficiencies in the security practices of SMEs in this sample.
Security practices designed outside of the real world organizational context may not support effective work practices. Including employees in the assessment of risks and development of information security practices can help organizations to create appropriate policies that employees know exist, that they understand, and that these policies and practices may actually be followed and effectively applied, providing for more robust and consistent information system security in small-to-medium-sized organizations.
1 Sadok, et al., 2020, Information and Computer Security, “It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs”