Commerce, Featuring News, Press Releases, IT Directory & Links
Poor Employee Inductions Put European Businesses At Risk
Published 8th March 2007
New research highlights how the ‘employee education gap’ is putting both employers and employees in danger...
London, March 7th, 2007 – McAfee, Inc. (NYSE: MFE) today announced findings from new research, which reveals just how important the HR induction process is in keeping European businesses safe.
Sampling over 1000 SME businesses (50-250 employees) across Europe, the ‘Employee Education Gap’ report highlights some major holes in company induction processes that are leaving businesses vulnerable to unnecessary security risks. Key statistics from the research are as follows:
. Security wilderness – Only 32% of medium-sized businesses across Europe have IT security as an aspect of employee induction
. UK leads the induction drive – UK businesses are the most likely to hold induction sessions for all employees whilst more than a third of businesses in France and Italy do not have inductions for all employees
. Pressure to patrol – 70% of respondents believe that employers are more sensitive to risks associated with new employees than they were three years ago
. Mitigating risk? – Only 39% of businesses have guidelines for employees on email content/language, 28% for the use of portable storage devices and 23% for mobile laptop use
Employer/Employee ‘responsibility roulette’
In the majority of cases where security issues are raised, most businesses feel that the end user is more culpable than the employer, highlighting serious implications for employee and employer liability. For example, 55% felt that an employee should be held responsible for a personal email that spreads a virus on the company network. Similarly a stolen laptop is also seen as the responsibility of the employee by 67%. Whilst employees clearly have a role to play in the safeguarding of their company’s property, the vagueness, and in some cases non-existence of sufficient induction processes, are leaving employees unfairly exposed. Employers should also take note that *legal precedents have been set in Europe, resulting in hefty settlements for employers as a result of employee email messages which recipients consider defamatory or which breach confidentiality or client contract.
Businesses need to be very clear on what constitutes employee responsibility and employer oversights. The research findings highlight that current approaches may be misguided in terms of culpability for security breaches. Though employee actions may result in security breached, the employer is often ultimately responsible for the processes and conditions that surround security incidents.
Greg Day, Security Analyst, McAfee, comments, “Whilst many businesses make a priority of employee induction, many are failing to effectively cover a major part of any employees working life, their PC and internet usage policies. Companies are failing to capture the opportunity presented by new starters to instil a sense of vigilance and security into the workforce. This oversight, coupled with a clear lack of enforcement increases the risk of new employees either consciously or inadvertently breaching corporate security protocols.”
For your eyes only…
As more and more people opt to change jobs more frequently, businesses are faced with more ‘new workers’ than ever before. In the UK alone, seven million people changed jobs in 2005/6, meaning that over a quarter of the working population (29 million) started a new job during a 12-month period.
For any medium-sized organisation that does not necessarily have a dedicated IT department, information security education of employees must be taken very seriously. Despite 73% of respondents reviewing their induction policies in the past 12 months, companies still appear to be limiting access to this information after the initial session by either keeping it in a hard copy folder or restricting access to it stored on the company network. Only one third of respondents make such documents available to all via a company intranet or shared folder.
Day stated “Some businesses clearly talk the talk but are not walking the talk by building business processes in line with documented policy. When it comes to induction, some countries consider themselves to have processes in place but are often not supported by readily available policy documentation.”
In cohesive inductions…
Typically, inductions are shortest in Germany with 36% of businesses completing full inductions in fewer than three hours. At the other end of the spectrum, Spanish inductions are most likely to take more than 2 days (32% of respondents) with UK and French businesses striking a balance at half a day.
Billy Hamilton Stent, Director at Loudhouse research, the consultancy that undertook the study concludes that, “The induction process provides an ideal opportunity to engender a vigilant response to information security for end users. It’s not a case of issuing a list of dos and don’ts, but more a process of establishing trust, security and clear working procedures that reduce employee and employer risk. It is unfortunate that only a minority of businesses see it in this way.”
A Matter of Trust?
It is clear that businesses are aware of the threats ill-informed employees can pose, with 70% being more sensitive to new employee risks than three years ago. However businesses need to be careful how they go about enforcing control. 72% believe employees are aware that they are being more closely monitored by their employers. Whilst 29% believed this situation established greater trust, 28% believe it can erode trust.
Day concluded, “The level of security concern around employee activity in general and, specifically, new employees can influence how a company deals with employee induction. The key issue is to strike a balance between policing employee activity, allowing employee autonomy and maintaining an open and constructive relationship with the employee base. Trust is an extremely valuable commodity in the workplace and inappropriate processes can have a detrimental impact upon it.”
The following five considerations form a useful starting point in developing a security checklist, in relation to the findings from the survey:
. Cover all the bases: ensure that existing induction materials give sufficient time to security risk exposure, it may highlight shortfalls in your businesses current approach to security
. Understand existing employee perceptions: evaluate how informed the existing employee base is on security issues such as email disclaimers, spam mail and mobile working
. Bring clarity to risk responsibility: start your risk review by refreshing your company’s understanding of where responsibility resides for security risk issues. Trade and government websites make a good reference point to begin with
. Independent analysis: Invite an independent third party, partner business, or customer to undertake your induction process and provide feedback on areas where information could be improved.
. Create virtual security officers: identify key personnel who can take responsibility for ensuring a vigilant approach to information security and employee awareness.
Company Profiles powered by ITReseller.com
- McAfee - View profile