Advisory firm Forrester Research questioned 2,383 IT workers from five countries for a report called Understand The State Of Data Security And Privacy: 2012 To 2013, but only 56 per cent of those surveyed in North America and Europe said that they were aware of their employers' current data security policies, according to a …
"Security Awareness Training"
We've heard of it. It will never happen of course, because there's a quantifiable cost associated with it, whereas the cost of a security breach is much less tangible, and is someone else's problem, and anyway is covered in our 100-page security manual that all new entrants were instructed to read in their spare moments.
If your IT workers aren't aware of your security policy, what's the chance that Joe Schmo in the call centre has read it and knows enough not to reveal his password to the person claiming to be calling from the helpdesk?
Security is a voyage not a destination, as the old saying goes. if the company culture is one of security being respected and not just a tickbox, you're good. If managers can come and lean on support people to constantly bend the rules and get away with it, you're in trouble.
Back in the day when I worked for a two-letter oil company, security would cruise the offices and take unsecured laptops. Cue loads of grovelling to security to get your machine returned. I believe repeat offenders were given an IBM Aptiva with 64Mb RAM and Windows 95.
It sunk in. I lock the desktop on my PC at home to this day. The wife thinks I'm hiding something...