Changing user behaviour

IDC has done some polling amongst IT managers and established that one of their top worries remains getting staff to play ball and follow IT security policy. As I have written before, the most thoroughly conceived corporate ISMS can be completely undone if an employee can introduce a virus from home just by plugging in a USB memory stick.

The answer is obviously internal communications and training, but many businesses are still falling woefully short in these areas. Such initiatives simply can no longer be seen as optional extras, as any company to have suffered a serious IT breach can confirm.

Infosecurity training needs to have three components:

* Users need to be competent to use their computers and understand the requirements of their user agreements and the acceptable use policy. E-learning is an ideal way to deliver this cost-effectively.
* They need to recognize and know how to deal with information security threats. We publish a book called the Internet Highway Code that is specifically designed to meet this need and ideal for issuing to all staff members. To underline importance of this issue, each employee should be required to sign a user agreement that includes reference to such guidance and confirms that they have read it.
* Users need to be kept aware of the changing risk environment so they can take adequate evading action. An effective solution is to formalize a user alert service, whether internally or externally sourced, to ensure that staff hear about the latest threats and know how to respond.

CIOs and their teams need to impress upon their boards that these are core requirements for the business and need funding and senior endorsement.