News Stay informed about the latest enterprise technology news and product updates.

Information security policies upended by untrained end users

Midmarket CIOs say user education would do the most to help secure their networks -- but is it possible to educate away gullibility?

Buy all the security technology you want. You're only as secure as your most idiotic end user.

More on information security
Security outlook challenging for SMBs in 2008
New security tools best left to big companies, not SMBs
A survey sponsored by security vendor GFI Software Ltd. revealed that midmarket CIOs don't want a bigger security budget. They want educated employees.

GFI's survey asked IT leaders at 455 small and midmarket businesses in the U.S. what would help improve the level of security at their companies. Only 12% said a larger budget would help. Forty-eight percent chose better awareness of information security policies among employees, and another 25% said better awareness of security among senior management was key.

Clearly this is contributing to their general feeling of insecurity, because 42% of survey respondents said they do not consider their networks to be secure -- even though 96% have antivirus technology in place and 93% have firewalls installed.

In fact, new research from New York-based AMI Partners Inc. has revealed that midmarket companies spent 17% more on security in 2007 than they did in 2006.

"They see the end user as the weakest link," said David Kelleher, project leader for research and surveys at San Gwann, Malta-based GFI. "The proliferation of these social networking sites has created more and more problems for administrators. These employees are spending their lunch break updating profiles and downloading files and clicking links. There's always the risk of clicking a link that takes you to a malicious Web site."

Kelleher said midmarket companies have information security policies, but there isn't a good level of communication between IT and end users. End users don't understand the reasoning behind the policies, nor how IT plans to enforce them.

Kelleher said CIOs should make sure new employees go through a rigorous induction course that explains what they can and can't do on the network. He said IT should also lean on vendors and resellers for education on security issues, particularly for educating senior management.

You can do all the training you want, but people are
just going
to be stupid
and you're
not going to
be able to do
much about it.

Gary Chen
senior analystYankee Group Research Inc.
"Certainly end users are a big hole for most people, because end users are not going to be your most technically competent people," said Gary Chen, a senior analyst at Boston-based Yankee Group Research Inc. "And a lot of attacks today rely on the gullibility of users to click on a link."

Chen said it's important to educate end users, but he's not sure it will really do any good.

"I guess I'm not truly convinced that you can seriously make a dent in that problem," he said. "You can do all the training you want, but people are just going to be stupid and you're not going to be able to do much about it."

Chen said small and midmarket companies should strive to implement technologies that assume the user is going to do the wrong thing. He said these companies should look to vendors who offer integrated security services or managed services.

"There's just so many security technologies, and SMBs just don't have the time to research every new threat," Chen said. "What they need is to integrate stuff, to buy one service or device to handle everything instead of getting this product for this problem and that product for that problem. I think the offerings are falling behind. SMBs are falling behind on security. I don't think they're keeping up. They are losing the war. But there are a lot of services being put together now."

Kelleher added, "I think too many SMBs are worried about viruses and spam. They need to start looking beyond. There are many, many more threats and they have to be more proactive. They can't wait for something to happen. They basically need to take out an insurance policy because ultimately security is a cost of doing business."

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.