by John Golden
SC Magazine
5/18/05
In today's ever increasing security conscious market, it is no longer sufficient simply to delegate the information security of an organization to the network administration staff.
Catastrophic breaches of security are occurring more frequently, resulting in the loss of tens of millions of dollars. Whether the consequences of security breaches are productivity-related, linked to competitive intelligence or simply in the erosion of customer confidence, they are primarily caused by end user ignorance. Research has shown that upwards of 80 percent of network attacks are facilitated by employees opening attachments of unknown origin or even by providing their username and password to someone else.
It is astonishing to note that although a huge amount of money is being spent on security-related technologies as well as on providing specialized security-related training to IT staff, the non-IT computer users such as sales, marketing and finance (the majority in most companies) are still being largely overlooked. This is a situation that cannot endure even in the short term. The potential damage to an organization in terms of reputation alone (regardless of network damage and productivity losses) will be unsustainable given the numerous warnings and hard lessons learned over the past number of years regarding attacks by high profile viruses. Customers will begin taking their business elsewhere if they are not reassured that an organization has adopted a comprehensive approach to data security. Such an approach has to start with the end user.
Ensuring that an organization's workforce is security aware and modifying their behavior does not necessitate a huge overhead (although even if it did, not doing so has such massive implications that it would warrant it regardless). End users require basic education on their corporate responsibilities when accessing the network or using the tools that they are furnished with. Whether they are using desktop PCs, laptops or handheld devices, lesson number one should be that access to the network and the internet does not entitle an employee to act as they please. A security conscious organization will have rules, regulations and restrictions around what an end user can do. In addition, they should have appropriate rights commensurate with job roles and seniority status.
More