Home > News > January 2004 > 09-Jan-2004

Computer users are "IT Security incidents waiting to happen", according to IT Managers

Research announced today by compliance and security software company, PolicyMatter, shows that the majority of IT managers have a dim view of computer users when it comes to information management. According to the findings, user ignorance and a willingness to take matters into their own hands are the key causes of computer misuse in the workplace.

In a survey of over 200 UK IT managers, 40 per cent said users in their organisation were best described as ‘IT security incidents waiting to happen'; with a further 21 per cent of respondents viewing users as a ‘necessary evil'. A more positive tone was taken by 32 per cent of managers, who regarded their users as ‘valuable assets', while only seven per cent felt that users were the ‘guardians of the organisation's data'.

On the issue of computer misuse, an overwhelming 64 per cent of IT managers said that there users were prone to ‘sometimes misusing' the organisation's systems. More seriously, 18 percent reported that computer systems were ‘often misused' by staff and two percent suffered ‘constant' computer misuse. For a luckier 16 per cent, computer misuse was described as ‘rare'.

The research shows that the primary cause of computer misuse (with 47 per cent) is that users ‘don't understand what they are doing wrong'. More worryingly, 43 per cent of IT managers reported that misuse is down to ‘users believing their actions, while not in line with company policy, will not have any negative effects on the company'. Nine per cent of respondents suggested that users simply thought they could ‘get away with it', while just one percent said users ‘deliberately flout company policy, regardless of risk'.

Nathan Millard, a lawyer with legal firm Morgan Cole, isn't surprised at the top two causes of computer misuse: "Many organisations go to great lengths to write acceptable use policies (AUPs), but then undermine their effectiveness by making little or no effort to actually communicate these requirements to employees.

"Organisations need to combat any lack of understanding or complacency to IT security risks by ensuring that computer users have read, understood and signed up to policies."

Millard's views are supported by the PolicyMatter research results: 82 per cent of respondents believed that getting users to sign up to AUPs would increase the effectiveness of the policy.

While the majority of respondents (62 per cent) said that AUP management should be a joint effort between the IT, HR and Legal departments, Millard suggests that the reality is somewhat different. "Often, the creation of an AUP is a knee-jerk reaction to a recent incident or ‘near miss' where the organisation is rudely awakened to the threats of employee computer misuse. However, once written it is very easy to forget the policy and allow it to gather dust," said Millard. "To provide true protection to the organisation, the AUP needs to be updated regularly to cover new legislation, technologies and user habits, and re-presented to employees so that it is always fresh in their minds. Using a policy management solution like PolicyMatter can dramatically improve the understanding of policy and behaviour of computer users."

Related information

For related news, case studies, articles and research, visit our
IT training home page

Training and development books

Discover books on a variety of training and development topics at the Training Reference Bookshop

Source suppliers

Visit the Training Reference Directory to view supplier details for a wide range of courses, products and services.

Sponsored links

Back to top