Businesses fail to educate staff on security

Research says employees may be responsible, but employers are liable

Businesses must to more to educate employees

Most businesses feel the end user is more culpable than the employer for a security breach, according to research by vendor McAfee.

Some 55 per cent of respondents feel an employee should be held responsible for a personal email that spreads a virus on the company network. Similarly a stolen laptop is also seen as the responsibility of the employee by 67 per cent of those surveyed.

But although employee actions may result in security being breached, the employer is often ultimately responsible for the processes and conditions that surround security incidents.

Greg Day, security analyst at McAfee, says businesses do not set strict enough guidelines for their employees.

'Whilst many businesses make a priority of employee induction, many are failing to effectively cover a major part of any employees working life, their PC and internet usage policies,' he said.

'Companies are failing to capture the opportunity presented by new starters to instil a sense of vigilance and security into the workforce. This oversight, coupled with a clear lack of enforcement increases the risk of new employees either consciously or inadvertently breaching corporate security protocols,' said Day.

The research suggests employers vagueness over, and in some cases non-existence of, sufficient induction processes, are leaving employees unfairly exposed.

'Some businesses clearly talk the talk but are not walking the talk by building business processes in line with documented policy. When it comes to induction, some countries consider themselves to have processes in place but are often not supported by readily available policy documentation,' said Day.

Court cases in Europe, including a recent one in Germany, have resulted in hefty settlements for employers as a result of employee email messages which recipients consider defamatory or which breach confidentiality or client contract.