Catastrophic breaches of security are occurring more frequently, resulting in the loss of tens of millions of dollars. Whether the consequences of security breaches are productivity-related, linked to competitive intelligence or simply in the erosion of customer confidence, they are primarily caused by end user ignorance. Research has shown that upwards of 80 percent of network attacks are facilitated by employees opening attachments of unknown origin or even by providing their username and password to someone else.
It is astonishing to note that although a huge amount of money is being spent on security-related technologies as well as on providing specialized security-related training to IT staff, the non-IT computer users such as sales, marketing and finance (the majority in most companies) are still being largely overlooked. This is a situation that cannot endure even in the short term. The potential damage to an organization in terms of reputation alone (regardless of network damage and productivity losses) will be unsustainable given the numerous warnings and hard lessons learned over the past number of years regarding attacks by high profile viruses. Customers will begin taking their business elsewhere if they are not reassured that an organization has adopted a comprehensive approach to data security. Such an approach has to start with the end user.
Ensuring that an organization's workforce is security aware and modifying their behavior does not necessitate a huge overhead (although even if it did, not doing so has such massive implications that it would warrant it regardless). End users require basic education on their corporate responsibilities when accessing the network or using the tools that they are furnished with. Whether they are using desktop PCs, laptops or handheld devices, lesson number one should be that access to the network and the Internet does not entitle an employee to act as they please. A security conscious organization will have rules, regulations and restrictions around what an end user can do. In addition, they should have appropriate rights commensurate with job roles and seniority status.
The "free for all" of the late 90's where unrestricted access to the Internet became the norm needs to be addressed within organizations even if it means rolling back some of the rights users are accustomed to. Restricting rights, however, is not enough. There are many valid reasons why different individuals require more flexible access and rights. The key, therefore, is user behavior. An organization must teach their end users the dos and don'ts of accessing their email or the network in general. Implementing a structured end user security training program and ensuring that it is tracked is a great start. Once established, it is much easier to reinforce the behavior by attaching penalties for breaking the rules. It also allows businesses to demonstrate to both current and potential customers that they are serious about security right down to the person at the front desk.
It doesn't stop there, however, as executive management now more than ever needs to be confident that the correct security policies and education programs are in place. They are the ones who have to convince customers and investors that data is secure within their infrastructure and that the company is not vulnerable to productivity losses or even customer lawsuits that could potentially result from a catastrophic network penetration. Some executives face additional challenges if they are publicly traded or under Sarbanes Oxley (SOX) legislation. Also, if they engage in contract work with the Federal Government, the Federal Information Security Management Act (FISMA) is increasingly applicable. Again, this raises an interesting educational challenge in that executives who in the past have not had to delve too deeply into IT-related areas are now being asked to sign-off on security policies or SOX compliance. This situation will be addressed very quickly within organizations driven by executives who demand that they have sufficient knowledge to oversee and make decisions that could have such far reaching ramifications for both their company and themselves.
When you combine the need to educate and police end users with the increasing demands on executives to be better educated around compliance and security policies and the obvious and ongoing need to upgrade the security-related skills of the IT department, you are presented with the very real need for a comprehensive approach to the problem. Addressing only one part or even two parts of the equation will not suffice as that will be akin to locking two out of three doors and wondering why you still get burglarized. Smart companies are already implementing ongoing initiatives that address the differing needs of each area of the organization or are engaging with third-parties to help them do it. Smart companies realize that they have no time to lose and the next security breach could potentially mortally wound them. They understand that comprehensive security awareness is not just this year's hot topic but will only continue to increase in importance as the global information economy grows.
The author is VP Products & Programs of New Horizons CLC