Employee Education Gap

Published 24th April 2007

Greg Day, security analyst McAfee...

As work becomes an increasingly transitory aspect of the European economy, with people opting to change jobs more frequently and work in a diverse range of professions throughout their working lives, businesses are faced with more ‘new workers’ than every before. The experience of starting a new job is universal and many of us may only have to look into our recent past to recall the excitement, exhilaration and anxiety of that first day at work. However, from a company perspective, introducing new employees into the business is a perennial part of operational process.

There are critical points in the tenure of any job that provide opportunities to establish best practice amongst the employee base. Induction is one of these points, yet, going by a recent Europe-wide study conducted by McAfee, it appears that more can be done to raise security awareness amongst employees at this juncture than is being undertaken at present. Most business functions, particularly IT, will understand that there are a myriad of issues concerning information security within the workplace. Though many of these issues are difficult to solve without considerable effort, it is unfortunate that such a straightforward opportunity to engender vigilance and best practice amongst employees is overlooked on ‘day one’. Beyond simple negligence, the more disturbing observation on the data in the survey is that the induction process mirrors the overall sentiment towards security in the business as a whole.

Security appears to be seen as purely the domain of IT and operations professionals and rarely do these people interface with new joiners outside their immediate responsibility. In addition to this, there is the general sentiment that induction is about welcoming new employees to the business, not bombarding them with a medley of do’s and don’ts. The inevitable conclusion is that, unlike other aspects of employee management, security is a decision that should come directly from board level. It is rarely the case that employees will consider (unprompted) that security measures are not quite what they should be or that they are unclear on security procedures. As least, not in the same way that they are pre-occupied by working conditions, pay and career. Security is – or should be - a ‘management-down’, not an ‘employee-up’ initiative.

McAfee is exhibiting at Infosecurity Europe 2007, Europe’s number one dedicated Information security event.