If some of this year's various industry studies are any measure of information security awareness among the corporate world's end-users, training programs seem anything but successful.
The oft-mentioned 2004 CSI/FBI Computer Crime and Security Survey shows that most of the 494 IT security practitioners questioned believe their companies fail to invest enough in security awareness training, even though they believe it is important.
And recently, Ernst & Young's 2004 Information Security Survey noted that the lack of user security awareness is the major roadblock to IT security. Despite this concern, however, only around 30 percent of the 1,233 organizations questioned revealed user education as a priority for the next year.
But experts warn that neglecting even to start a program is a frequently repeated blunder among enterprises – a slip-up that can lead to network breaches, theft of proprietary information, virus infections, downtime and, ultimately, huge financial losses or legal problems.
"To me, the horror stories are companies who aren't doing anything. And there are a lot of them," says Kathy Coe, regional education director for Symantec's educational services business unit and head of their security awareness program.
"Even if it's just a poster by the water cooler, at least that's something. And something is better than nothing."
Yet, as she and other experts stress, the complexity of today's threats calls for a more comprehensive training program than a mere poster on a wall.
Multi-vector viruses, compromised passwords, phishing attacks or other forms of identity theft, and peer-to-peer file sharing are just a few of the worries that drive Krizi Trivisani to maintain training and awareness for George Washington University's users as her top priority.
"It's continual learning," explains Trivisani, the Washington D.C.-based university's director of systems security operations and chief security officer. "You have to hit your users over and over again with what you want them to most be aware of. It's not like a one-shot deal, where you can train folks once and expect them to retain that knowledge for the rest of their lives."
As part of their overall program, the university offers online training, mass-distributes emails about specific issues of growing importance, and chooses a topic each month about which details are shared in around 250 posters that are displayed in dorms, school newspapers, offices, and other areas around the campus.
The school also engages in awareness training for more than 7,000 students as part of their George Washington inauguration. As for employees, the university plans on requiring that all new staff complete web-based training offered by Security Awareness Incorporated, a company specializing in IT security training programs based in Florida, during the first two weeks of their start date by the end of the year. Already, the institution offers face-to-face general security awareness training to new employees, as well as for students.
Overcoming user mishaps
Symantec's Coe believes that this kind of training is necessary, given that security problems often arise because employees are doing the wrong things – whether on purpose or by mistake.
"The biggest mistake that organizations make is that they only communicate the policy and they don't communicate the 'why' that surrounds that policy – the part that's educational in nature," comments Coe.
"I think companies have become very alert to the need to communicate their own internal policies, but employees need more than just a policy statement.
"They need to understand a little bit better why protecting their company's information is part of their job," she continues. "It puts the policy in context for them, which is so frequently the missing link."
So while companies are being diligent about communicating corporate security policies, they are neglecting the training that supports such communication. Based on their own findings, adds Coe, Symantec is seeing companies acknowledging that employees are still engaging in wrong, inappropriate or mistaken conduct that creates problems for their company and, ultimately, costs the enterprise money.
Confronting the regulators
Such end-user mis-steps can also prove disastrous for those organizations facing increased pressure from federal and state regulators. Government officials have begun instituting specific security requirements that organizations must now meet.
To be sure, legislation is driving the need to improve security postures overall, and is pushing companies to realize that people – often more than technology – are critical to making this happen. There has been a surge in interest in implementing or improving awareness programs lately, because of the likes of the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach Bliley Act (GLBA), a newer one called FIRPA that addresses securing educational records, and self-imposed regulations by the utility industry, says Chris Cook of Security Awareness Incorporated.
"Awareness was typically put on a back-burner, with no resources allocated to it. Now companies are finding that legislators are requiring it. They're not necessarily specifying what has to be taught, but they're saying 'information security education,' and tying that to privacy as well," explains Cook.
"There have been a lot more companies moving toward security awareness programs since all the legislation has gone into effect. And even the ones that aren't affected by the mandates are, I think, starting to see the value in the preventive measures of security education training versus security gadgets."
Analyst and consulting firm Meta Group supports such contentions. While policies often dictate the selection and deployment of technology that allows for automated enforcement, policies controlling user behavior play an integral role in a company's security posture. And while most companies note awareness programs as key, many fail to offer up the needed funds to get such programs off the ground.
Finding funds and support
Some 75 percent of organizations say that a lack of user awareness is "moderately or severely reducing the effectiveness of their current security program," according to a Meta Group news release announcing the research this fall. On top of these findings, around 66 percent note a lack of executive awareness as having a similar effect.
According to META Group security analyst Chris Byrnes, "the majority of our client-base is in the process of trying to establish awareness programs," with the financial industry having led the pack for quite some time, given regulatory requirements.
"But, most other industries are now finding that in order to be Sarbanes-Oxley and Gramm-Leach Bliley compliant, they have no choice but to train their employees in compliance and security policy."
He adds that in the past 18 months or so, only 40 percent of Meta's client base, which numbers somewhere around 2,400 major organizations, have realized they need to do more than just new employee training. Still compounding the problem, however, is that executive support for training has never been good. But those attitudes seem to be changing.
"Most board of director members and most senior executives have been pretty much forced to come around to the perspective that they must provide the protection of the assets," he explains. "These days, the primary assets held by most organizations are information-based assets. And if you're not following information security rules, you're not protecting those assets."