Far too may South African companies fail to document the rules and procedures required to reduce IT security risks, warns IS Digital Network MD Barry Cribb.
He says most companies do not place sufficient emphasis on risks relating to disgruntled staff and inappropriate use or misuse of company e-mail and Internet.
"Companies employing staff know the problems that can be incurred by improper handling of disciplinary processes in terms of labour law. Disciplinary procedures are, therefore, generally well documented and followed to the letter by HR departments," Cribb states.
"However, far too many South African companies fail to document the rules and procedures required to mitigate many of the security and behavioural risks in the use of IT systems."
Cribb believes a large percentage of companies do not have security policies in place, including some large organisations, and there does not seem to be a significant shift towards increasing IT security.
He says most companies would be horrified at the time lost in non-productive use of corporate e-mail and Internet services if it were quantified. He claims the cost of bandwidth alone used in distributing non-work-related content would lead most companies to take action. Yet companies seem reluctant to invest in curtailing excessive Internet usage.
Unnecessary expense
"This is surprising. If these losses occurred as a result of the misuse of a company car, accommodation or entertainment allowance, staff would be held accountable and most certainly face disciplinary action."
Cribb believes security, as a whole, is still perceived as an unnecessary expense by many organisations. With the historical belief that it is predominately a technical issue, companies fail to recognise security as a multi-faceted challenge that affects the bottom line, namely profits.
"When seen as a business issue and part of a risk management process, investment in security can be clearly identified as providing added value. The cost of a single case of abuse or non-compliance vastly outweighs the expenses involved in establishing a security system," he says.
Similarly, the cost of training, which can prevent staff from accidentally acting inappropriately, is less than the potential penalties incurred if the company falls foul of legislation or is attacked, he says, adding that security policies are essential for defining the rules of play.
"How can an employee be expected to follow the rules if they don`t know what the rules are?"
Cribb says it is vital the policy is easily accessible, and, therefore, it must be written in a style that is concise yet comprehensive, easy to read and available to all staff.
Share
