My column is dedicated to training and education issues for IT professionals but how much do we think about training for end users, particularly educating users to be security-aware? Not much according to the results of a recent survey of 1,233 organisations in 51 countries about security concerns.
Respondents to the 2004 Ernst & Young Global Information Security Survey cited lack of security awareness by end users as the top barrier to achieving the required level of security. Yet raising awareness through security training programs was ranked just sixth and eighth in the list of security priorities in 2004 by business chiefs and IT execs, respectively. Business leaders ranked enforcing information and security policy as the first priority, which begs the question, how will this be done if training isn't even a top-five initiative?
"With proper training and education, people can become the most effective layer in an organisation's defense-in-depth strategy," the report notes. "The first step is making sure they operate in a security-conscious culture."
Security experts say organizations should foster a pervasive security-aware corporate culture. To get there, network executives must begin by insisting on CEO leadership. The CEO must decide on the risk level the company is willing to take and instill in the workforce the importance of being security-savvy and of using security technologies to protect against attacks. Training should be given to end users to help them recognize potential security breaches and that in a security culture, regularly changing passwords, not opening suspicious e-mail attachments and other basic precautions are second nature.