For the most part, said Kohn, his clients are scared more by the prospect of workers who mistakenly circumvent security policies, rather than people with some sort of ax to grind. "All kinds of sensitive information is being let out accidentally when people dont really understand what theyre doing, but thankfully this risk can be mitigated using technology," said Kohn.The experts said that the best way for companies to immediately improve their internal security controls is to thoroughly revisit corporate policies, and the manner in which guideline are conveyed to employees. Handing someone a thick stack of documents when theyre hired and expecting them to understand all the contents within isnt practical, the industry watchers said, so firms should be smarter in the ways they inform employees of what any rules may be. One way to do this is to make information security a more high-profile element of most workers responsibilities and to train people specifically on the potential security implications of their individual jobs. By making policies directly applicable to the tasks and IT tools that workers use every day, people are bound to become more aware of making potential mistakes, they said. For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. "The important questions are whether companies are using the right types of policies, and whether they have the right tools in place to ensure these are being effective," said Kohn. "And security policy needs to be a living thing that changes as your business changes." Researchers with PricewaterhouseCoopers detailed the findings of their most recent information security survey at the eSeminar, a study that involved interviews with more than 8,200 IT executives conducted during mid-2005. According to the report, only 37 percent of all companies interviewed had an overarching security strategy, while 24 percent said they were in the process of creating such a plan. Unsurprisingly, those firms who employed a chief security officer were far more likely to have completed the policy work, with 62 percent of those firms reporting that they have already established internal guidelines. While offering no statistical evidence to illustrate the point, PricewaterhouseCoopers said that those companies also had far fewer security breaches and less network downtime. "If you promote security to the [senior executive] level, theres proof that there are lower numbers of intrusions and other problems," said Mark Lobel, a partner with PricewaterhouseCoopers. "What we found is that companies need to realize that its time to get proactive versus reactive, and link security strategy of the top levels of their businesses." Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
"The top priority for many firms has become training, and some companies are more actively investigating the cause of issues and penalizing employees for their mistakes, and all of this can help improve the situation."