European SMEs are leaving their businesses vulnerable to security risks due to poor inductions, according to a new report.
The study, Employee Education Gap, of over 1000 SMEs (50-250 employees) across Europe, found:
- Only 32% of those surveyed have IT security as an aspect of employee induction.
- UK businesses are the most likely to hold induction sessions for all employees whilst more than a third of businesses in France and Italy do not have inductions for all employees.
- Pressure to patrol – 70% of respondents believe that employers are more sensitive to risks associated with new employees than they were three years ago.
- Only 39% of businesses have guidelines for employees on email content/language, 28% for the use of portable storage devices and 23% for mobile laptop use.
In the majority of cases where security issues are raised, most businesses felt that the end user was more culpable than the employer. For example, 55% felt that an employee should be held responsible for a personal email that spreads a virus on the company network, according to the study for IT security firm McAfee Inc.
The company says the findings suggest current approaches may be misguided in terms of culpability for security breaches. Though employee actions may result in security breached, the employer is often ultimately responsible for the processes and conditions that surround security incidents.
Security analyst at McAfee Greg Day said: “Whilst many businesses make a priority of employee induction, many are failing to effectively cover a major part of any employees working life, their PC and internet usage policies. Companies are failing to capture the opportunity presented by new starters to instil a sense of vigilance and security into the workforce. This oversight, coupled with a clear lack of enforcement increases the risk of new employees either consciously or inadvertently breaching corporate security protocols.”
The company recommends five considerations to develop a security checklist:
- Cover all the bases: ensure that existing induction materials give sufficient time to security risk exposure, it may highlight shortfalls in your businesses current approach to security.
- Understand existing employee perceptions: evaluate how informed the existing employee base is on security issues such as email disclaimers, spam mail and mobile working.
- Bring clarity to risk responsibility: start your risk review by refreshing your company’s understanding of where responsibility resides for security risk issues. Trade and government websites make a good reference point to begin with.
- Independent analysis: Invite an independent third party, partner business, or customer to undertake your induction process and provide feedback on areas where information could be improved.
- Create virtual security officers: identify key personnel who can take responsibility for ensuring a vigilant approach to information security and employee awareness.