Knowledge Is Power: Forget What We Told You about Security Training

Rules of the Road

The goals of this blog are: 1. A place to ask for advice on CI issues 2. Learn about CI trends, techniques, and events 3. Discuss CI topics Competitive Intelligence is a sensitive subject so please follow these rules. Please do not request or discuss confidential or proprietary information about any individual or organization unless the information has been published in another venue prior to publication on KnowledgeIsPower. All are welcome to express their views and pose questions. However, I reserve the right to edit or remove inappropriate language or postings or those comments which violate the spirit of the site. KnowledgeIsPower will link to articles or sites of interest to the CI community. If you want to publish your article on KnowledgeIsPower, please contact me at eastsight@hotmail.com. By the way, I delete strange messages and messages from strangers with attachments so keep your message short and include your phone number.

Most security experts agree that your employees are your greatest threat to the security of your company’s information, but training them to be cautious is so difficult that one recent survey showed a decrease in organizations planning to train employees, according to a July 16, 2007 InformationWeek article “The Threat Within: Employees Pose the Biggest Security Risk” about InformationWeek Research's 10th annual Global Information Security survey, conducted with consulting firm Accenture.

“Survey results indicate that simply educating employees and partners about a company's security policies isn't sufficient to keep generally honest people from letting customer information leak out through e-mails, instant messages, and peer-to-peer networks. While the No. 1 tactical security priority for U.S. companies in 2007, according to 37% of respondents, is creating and enhancing user awareness of policies, this is down from 42% in 2006.”

“Only 19% of respondents say that security technology and policy training will have a significant impact on alleviating employee-based security breaches, the same percentage as last year.”

"They'll click on anything, and if anything slows them down, they'll short cut it," said Mark Loveless, a senior security researcher with network security provider Vernier Networks, told InformationWeek. "End users are given massively complex systems with a happy interface over it, and to make it easy for them to do their job, a lot of the controls are disabled or nonexistent.”

I still believe that security training is important, but also help the employees help themselves—and the company—by implementing technology tools that operate behind the scenes with as little interfacing with the users as possible. Balancing the security needs of your organization with the desire of users to focus on doing their jobs with little interference from technology is necessary and worth a discussion with management.

Comments

Indeed! Raising *management's* level of security awareness is one of the most important threads of an effective security awareness program.

The implied message that "security awareness doesn't work" is patently wrong. I'd agree that poorly planned and badly executed security awareness programs don't work, but that is a rather different assertion. Plenty of companies are running fabulously successful awareness programs, generally because they have (a) management backing, and (b) someone skilled at employee communications, motivational techniques and information security in charge of it.

Kind regards,
Gary.

Posted by: Gary Hinson | July 19, 2007 at 07:32 PM

Knowledge Is Power

A Forum for the Competitive Intelligence Community

About

Recent Comments

Categories

Competitive Intelligence Sources

Rules of the Road

Forget What We Told You about Security Training

TrackBack

Comments

Post a comment

Recent Posts