The CBI survey, which questioned managers at 100 large UK firms, showed that respondents were more concerned about their IT infrastructure than the security of their staff.
Given the highly sensitive nature of data stored in IT systems this is understandable, but with computer hackers becoming more sophisticated by the hour, preventing incidents has become a nightmare task for organisations.
Unsurprisingly, Dame Pauline Neville-Jones, chair of QinetiQ, believes organisations should be investing in more technology to guard against all types of security threat, IT related or not.
“Simply adding more security staff is not a good enough safeguard – technology is the enabler for security,” she said. “It protects and checks networks, goods, people and premises and can be used to help train security staff effectively.”
But the reality, research shows, is that internal employees are more of a threat than hackers and so-called ‘cyber-terrorists’ – whether maliciously or inadvertently.
This means HR has to get involved in preventing security breaches, and not leave it to the IT department, experts warn.
Detective chief superintendent Len Hynds, head of the UK’s National Hi-Tech Crime Unit, believes security issues should be a factored into the recruitment process.
“Companies need to build staff vetting procedures into their HR strategies,” he said. “They need to look at the processes by which they recruit and retain staff and consultants.”
Training staff on how to protect company networks and why it is important to report all breaches of security policy is also important, according to Richard Starnes, director of incident response at Cable & Wireless.
“For most companies it is low on their list of priorities because it is wrongly regarded as a cost, not a benefit,” he said. “It is possible to develop a security culture, but you have to make it worthwhile for staff to buy into it for it to be effective. Money is the biggest incentive.”
Starnes said HR should write corporate asset protection into employees’ job responsibilities and performances reviewed annually. Adherence to the corporate security culture should influence bonuses, salary rises, he said.
Education is key because the weakest link in the corporate security chain is staff, not technology, said Robert Chapman, co-founder of The Training Camp.
“Technology gets the finger pointed at it for failings, but it only does what people tell it to,” he said. “Awareness of the need for security has risen dramatically over the past 12 months, but there are still some very large companies struggling to implement strict security procedures and to educate their staff.”
While HR may not feel entirely comfortable partly inhabiting the land of IT, one area it should be able to easily contribute is communicating the importance of security.
John Roese, chief technology officer at network security specialist Enterasys, said: “Keep it simple, communicate in English, make it relevant, educate your staff about the risks and threats and keep your security policy up-to-date.”