[LINK] Security efforts hindered by untrained users

Bernard Robertson-Dunn brd at iimetro.com.au
Wed Jan 30 22:05:38 AEDT 2008


Security efforts hindered by untrained users
By Shamus McGillicuddy, News Writer
29 Jan 2008
http://searchcio-midmarket.techtarget.com/news/article/0,289142,sid183_gci1296314,00.html

Buy all the security technology you want. You're only as secure as your 
most idiotic end user.

A survey sponsored by security vendor GFI Software Ltd. 
<http://www.gfi.com/news/en/smbsurvey1.htm> revealed that midmarket CIOs 
don't want a bigger security budget. They want educated employees.

GFI's survey asked IT leaders at 455 small and midmarket businesses in 
the U.S. what would help improve the level of security at their 
companies. Only 12% said a larger budget would help. Forty-eight percent 
chose better awareness of security among employees, and another 25% said 
better awareness of security among senior management was key.

Clearly this is contributing to their general feeling of insecurity, 
because 42% of survey respondents said they do not consider their 
networks to be secure -- even though 96% have antivirus technology in 
place and 93% have firewalls installed.

In fact, new research from New York-based AMI Partners Inc. 
<http://www.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20071211005167&newsLang=en> 
has revealed that midmarket companies spent 17% more on security in 2007 
than they did in 2006.

"They see the end user as the weakest link," said David Kelleher, 
project leader for research and surveys at San Gwann, Malta-based GFI. 
"The proliferation of these social networking sites has created more and 
more problems for administrators. These employees are spending their 
lunch break updating profiles and downloading files and clicking links. 
There's always the risk of clicking a link that takes you to a malicious 
Web site."

Kelleher said midmarket companies have security policies, but there 
isn't a good level of communication between IT and end users. End users 
don't understand the reasoning behind the policies, nor how IT plans to 
enforce them.

Kelleher said CIOs should make sure new employees go through a rigorous 
induction course that explains what they can and can't do on the 
network. He said IT should also lean on vendors and resellers for 
education on security issues, particularly for educating senior management.

"Certainly end users are a big hole for most people, because end users 
are not going to be your most technically competent people," said Gary 
Chen, a senior analyst at Boston-based Yankee Group Research Inc. "And a 
lot of attacks today rely on the gullibility of users to click on a link."

Chen said it's important to educate end users, but he's not sure it will 
really do any good.

"I guess I'm not truly convinced that you can seriously make a dent in 
that problem," he said. "You can do all the training you want, but 
people are just going to be stupid and you're not going to be able to do 
much about it."

Chen said small and midmarket companies should strive to implement 
technologies that assume the user is going to do the wrong thing. He 
said these companies should look to vendors who offer integrated 
security services or managed services.

"There's just so many security technologies, and SMBs just don't have 
the time to research every new threat," Chen said. "What they need is to 
integrate stuff, to buy one service or device to handle everything 
instead of getting this product for this problem and that product for 
that problem. I think the offerings are falling behind. SMBs are falling 
behind on security. I don't think they're keeping up. They are losing 
the war. But there are a lot of services being put together now."

Kelleher added, "I think too many SMBs are worried about viruses and 
spam. They need to start looking beyond. There are many, many more 
threats and they have to be more proactive. They can't wait for 
something to happen. They basically need to take out an insurance policy 
because ultimately security is a cost of doing business."

-- 

Regards
brd

Bernard Robertson-Dunn
Sydney Australia
brd at iimetro.com.au




More information about the Link mailing list