Industry groups have come together to raise awareness about information security, but the biggest challenge for organisations—changing behaviour—still lies ahead

Human error and lack of security awareness have been blamed for many of the worst security breaches over the last year.

When Her Majesty's Revenue and Customs (HMRC) compromised the personal details of 25m people, after inadequately protected discs were lost in the post, the finger of blame was pointed at a junior clerk.

And in January, a Royal Navy officer left a laptop in a car with hundreds of thousands of confidential data records on it.

Around the same time, Canadian authorities said guidelines had been broken, when, in a similar instant, a desktop computer was hacked after being taken home by a consultant.

In light of so many breaches associated with lack of awareness, industry groups have this week come together and formed the Information Security Awareness Forum (ISAF)—an initiative designed to improve information security awareness by pooling the expertise and resources of a number of industry organisations.

A survey, conducted by Infosecurity Europe on behalf of the ISAF, found that for 79 % of organisations the single greatest security weakness was lack of awareness, with people not knowing about, ignoring or circumventing security processes and technical countermeasures.

Dr David King, chair of the ISAF, said: ‘For a number of years, security awareness has been on the agenda of many organisations…In spite of this, lack of awareness continues to be a major contributor to security breaches.’

‘The ISAF has been formed to coordinate and build on existing work and initiatives, to improve their overall effectiveness, and ultimately to increase the level of security awareness in the UK that will help protect us all,’ he added.

“For a number of years, security awareness has been on the agenda of many organisations...In spite of this, lack of awareness continues to be a major contributor to security breaches.

Dr David King, chair of the ISAF

One partner in the initiative, Philip Virgo, of the European Information Security Group, said he wanted to send out a very clear message: ‘Unless the professionals get their act together and help set the agenda we are at risk of ill-informed and possibly even counter-productive political and regulatory inititatives.’

But while awareness may be moving up the corporate agenda, the real challenge of changing everyday behaviour remains as persistent as ever.

Big security incidents are usually the result of lots of small things failing, invariably one of those things is the human element—had the perpetrator acted differently the incident could have been prevented—explained Chris Potter, a partner at PricewaterhouseCoopers.

‘Some leading organisations are making real progress in educating their staff about the risks and changing actual behaviour—they are turning their people into their strongest defence against data breaches rather than their weakest link. However most companies are struggling,’ added Potter.

In an ongoing project, the forum is drafting a set of guidelines for directors who deal with information security. Virgo said the director’s guide would help lift the issue of information security so it’s no longer viewed as something that inhibits business but rather as something that can help companies do business confidently.

Commenting on the launch of the ISAF, Kim Camman of SafeBoot, said: 'We have seen a plethora of security initiatives in the UK over the past few years and we can only hope that this new initiative will be the tipping point in changing employee and consumer behaviour when it comes to securing their data. However, this initiative should not be seen as the be all and end all. Businesses and Government organisations cannot shirk their responsibility - they too need to take on this educative mantra.'

PwC are managing the 2008 information security breaches survey on behalf of the department for Business Enterprise and Regulatory Reform; the results will be launched at Infosecurity Europe on 22 April 2008.