Buy all the security technology you want. You're only as secure as your most idiotic end user.
GFI's survey asked IT leaders at 455 small and midmarket businesses in the U.S. what would help improve the level of security at their companies. Only 12% said a larger budget would help. Forty-eight percent chose better awareness of information security policies among employees, and another 25% said better awareness of security among senior management was key.
Clearly this is contributing to their general feeling of insecurity, because 42% of survey respondents said they do not consider their networks to be secure -- even though 96% have antivirus technology in place and 93% have firewalls installed.
In fact, new research from New York-based AMI Partners Inc. has revealed that midmarket companies spent 17% more on security in 2007 than they did in 2006.
"They see the end user as the weakest link," said David Kelleher, project leader for research and surveys at San Gwann, Malta-based GFI. "The proliferation of these social networking sites has created more and more problems for administrators. These employees are spending their lunch break updating profiles and downloading files and clicking links. There's always the risk of clicking a link that takes you to a malicious Web site."
Kelleher said midmarket companies have information security policies, but there isn't a good level of communication between IT and end users. End users don't understand the reasoning behind the policies, nor how IT plans to enforce them.
Kelleher said CIOs should make sure new employees go through a rigorous induction course that explains what they can and can't do on the network. He said IT should also lean on vendors and resellers for education on security issues, particularly for educating senior management.
Chen said it's important to educate end users, but he's not sure it will really do any good.
"I guess I'm not truly convinced that you can seriously make a dent in that problem," he said. "You can do all the training you want, but people are just going to be stupid and you're not going to be able to do much about it."
Chen said small and midmarket companies should strive to implement technologies that assume the user is going to do the wrong thing. He said these companies should look to vendors who offer integrated security services or managed services.
"There's just so many security technologies, and SMBs just don't have the time to research every new threat," Chen said. "What they need is to integrate stuff, to buy one service or device to handle everything instead of getting this product for this problem and that product for that problem. I think the offerings are falling behind. SMBs are falling behind on security. I don't think they're keeping up. They are losing the war. But there are a lot of services being put together now."
Kelleher added, "I think too many SMBs are worried about viruses and spam. They need to start looking beyond. There are many, many more threats and they have to be more proactive. They can't wait for something to happen. They basically need to take out an insurance policy because ultimately security is a cost of doing business."
Let us know what you think about the story; email: Shamus McGillicuddy, News Writer