Discover security breach, blame the co-workers?

IT managers in small and midsize businesses blame their fellow workers for online security breaches--despite the fact many small enterprises still don't enforce Web usage policies.

More than a fourth of European IT managers in small businesses said they believe that company employees are responsible for security problems, according to research commissioned by security software company Websense.

The most frustrating problem for IT managers is employee behavior (cited by nearly a third of managers), followed by security not being high enough on the corporate agenda and then budget constraints.

The survey found that nearly a third of employees said they need to access sites known to present a high security risk, such as peer-to-peer services and free software-downloading sites.

The extent to which workers use the Web is highlighted by the finding that European employees spend an average of two hours per day online at work, with about a half hour of that spent browsing sites not related to work.

But suspicious IT managers believe that the time spent on such sites is closer to 48 minutes--or the equivalent of four hours per week.

The survey also reveals that 23 percent of small to midsize companies have Web security policies but don't enforce them among their employees. Another 16 percent of smaller enterprises have no Web usage policy at all, preferring to trust employees to not put them at risk.

Websense's SMB State of Security survey covered 375 IT managers and 375 employees from companies of between 100 and 250 users in France, Germany, Italy, the Netherlands and the United Kingdom.

Tim Ferguson of Silicon.com reported from London.

[inachu]

I agree 100% !!!!!

Employee who refuse IT advice.
Such as......

DO NOT SHOP THERE! they will infect your pc!
DO NOT USE P2P software or you will be fired!
even after 2 years I still find IMESH and bit torrent on computers.

Employees just do not care. They get fired just as fast.

[rcrusoe]

Sounds right to me

Even with their priviledges restricted users continue to find ways
to screw up their Windows machines. So we layer on more and
more external protection (web filters, antivirus devices etc.) to
try to save them from themselves.

How much time do they screw off on non-business related
Internet use? While we have the ability to track usage, only one
manager has ever asked for a report. But based on the amount
of traffic from youtube, etc. that I see the last couple hours of
the day, it's a lot.

And it's not just the rank and file. Those with the big offices and
titles are just as guilty.

[Chris Parkerson]

Blaming co-workers is NOT the answer

Employees should NOT be expected to be security experts and I believe it is completely unreasonable to expect them to be. The infrastructure really needs to protect itself against malicious activities - by both insiders and outsiders. Expecting employees to carry the burden of security is simply short-sighted and unreasonable, in my opinion.

As I discuss in my recent blog entry, http://www.rsa.com/blog/blog_entry.aspx?id=1217, employees should not be expected to carry this burden. Companies really need to step up and put solutions in place that are readily available to enable their infrastructure to defend itself.