[LINK] Security efforts hindered by untrained users
brd at iimetro.com.au
Wed Jan 30 22:05:38 EST 2008
Security efforts hindered by untrained users
By Shamus McGillicuddy, News Writer
29 Jan 2008
Buy all the security technology you want. You're only as secure as your
most idiotic end user.
A survey sponsored by security vendor GFI Software Ltd.
<http://www.gfi.com/news/en/smbsurvey1.htm> revealed that midmarket CIOs
don't want a bigger security budget. They want educated employees.
GFI's survey asked IT leaders at 455 small and midmarket businesses in
the U.S. what would help improve the level of security at their
companies. Only 12% said a larger budget would help. Forty-eight percent
chose better awareness of security among employees, and another 25% said
better awareness of security among senior management was key.
Clearly this is contributing to their general feeling of insecurity,
because 42% of survey respondents said they do not consider their
networks to be secure -- even though 96% have antivirus technology in
place and 93% have firewalls installed.
In fact, new research from New York-based AMI Partners Inc.
has revealed that midmarket companies spent 17% more on security in 2007
than they did in 2006.
"They see the end user as the weakest link," said David Kelleher,
project leader for research and surveys at San Gwann, Malta-based GFI.
"The proliferation of these social networking sites has created more and
more problems for administrators. These employees are spending their
lunch break updating profiles and downloading files and clicking links.
There's always the risk of clicking a link that takes you to a malicious
Kelleher said midmarket companies have security policies, but there
isn't a good level of communication between IT and end users. End users
don't understand the reasoning behind the policies, nor how IT plans to
Kelleher said CIOs should make sure new employees go through a rigorous
induction course that explains what they can and can't do on the
network. He said IT should also lean on vendors and resellers for
education on security issues, particularly for educating senior management.
"Certainly end users are a big hole for most people, because end users
are not going to be your most technically competent people," said Gary
Chen, a senior analyst at Boston-based Yankee Group Research Inc. "And a
lot of attacks today rely on the gullibility of users to click on a link."
Chen said it's important to educate end users, but he's not sure it will
really do any good.
"I guess I'm not truly convinced that you can seriously make a dent in
that problem," he said. "You can do all the training you want, but
people are just going to be stupid and you're not going to be able to do
much about it."
Chen said small and midmarket companies should strive to implement
technologies that assume the user is going to do the wrong thing. He
said these companies should look to vendors who offer integrated
security services or managed services.
"There's just so many security technologies, and SMBs just don't have
the time to research every new threat," Chen said. "What they need is to
integrate stuff, to buy one service or device to handle everything
instead of getting this product for this problem and that product for
that problem. I think the offerings are falling behind. SMBs are falling
behind on security. I don't think they're keeping up. They are losing
the war. But there are a lot of services being put together now."
Kelleher added, "I think too many SMBs are worried about viruses and
spam. They need to start looking beyond. There are many, many more
threats and they have to be more proactive. They can't wait for
something to happen. They basically need to take out an insurance policy
because ultimately security is a cost of doing business."
brd at iimetro.com.au
More information about the Link