Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

Security education: ineffective or the wrong approach?

on June 30, 2009

Employees don’t give two hoots about security or security policies. They share passwords with colleagues; they share work devices with others without supervision; they transfer files from their laptop to home computer; they use their corporate email address to subscribe to non-work related newsletters / sites; and if their boss says they can’t do something, nine out of ten will try.

And if recent reports are anything to go by, more and more employees will ignore a company’s security policies if that either means getting work done faster or if they need some form of insurance in case they receive that dreaded, recession-driven ‘thank-you-but-you-are-fired’ letter.

If employees are going ignore the IT department and by-pass security policies anyway, what’s the use of spending unproductive time trying to educate people and writing policies that won’t be read by anyone let alone adhered to?
Waste of time, money and resources? Or are we missing the point altogether?

There are two schools of thought.

The first school believes that employee awareness is a waste of time. There is no point in security awareness, critics argue, if no one is going to listen. They argue further that tech savvy employees – and they are increasing in number – will always find a way around any obstacle the admin IT puts in their path. The best course of action, they conclude, is to simply plug as many security holes using group policies and software/hardware to protect the network.

The second school, however, believes that security education has been a failure because the approach has been flawed from the outset. For years there has been a serious disconnect between IT, Management and employees. Same company, same goals but each one talking a totally different language. And here, I think, lies the problem.

Employees (and non-IT managers) cannot be given a ‘do not’ list and be expected to follow each item to the letter. People – and this is an important word – are not machines that accept instructions without question. People would like to understand (even if they disagree) what they are being asked to do… and it makes a huge difference in terms of both the relationships with managers and IT personnel and how employees go about their job.

When properly administered, security awareness in an organization can make a difference. You cannot expect EVERYONE to heed your wise words but an explanation using everyday language will hit home. If five out of every 10 employees start paying greater attention to what attachments they are opening or what links in emails they click on, the IT helpdesk, for example, stands to benefit from fewer ‘there are pop-ups all over my screen – what am I going to do?’ calls.

Some employees will totally ignore anything their IT manager says – they either don’t care or they are too tech savvy to be ‘educated’; but there are others who will appreciate being told why they need to use a complex password and not their mother’s maiden name or their surname.

The key is to relate security to something they can associate with; an issue that could affect them personally. Weak passwords are easily hacked… if employees use weak passwords for all their accounts / memberships their data / identity is at risk – personal data too. People are apt to change attitudes when the problem is closer to home than they realized.

Education alone will not shore up a network’s defenses. Security policies, software or hardware security measures are a must (woe betide those who think otherwise – and they are many). Raising awareness about security among employees and non-IT staff is not something to be ignored.

With proper planning, some incentives and senior management’s backing, security education will have a positive impact over time.

About the Author:

David Kelleher is Director of Public Relations at GFI Software. With over 20 years’ experience in media and communications, he has written extensively for business and tech publications and is an editor and regular contributor to Talk Tech to Me.

 
Comments
Geeks are Sexy July 2, 20092:08 pm

You know what they say… Security is only as strong as its weakest link.. Sure, security awareness certainly can’t hurt, but it only takes 1 person to make all your noble, precious efforts useless.

David Kelleher July 3, 200911:39 am

@GeeksAreSexy

Very true. However, end-users are closer to potential problems and are often the first to identify security incidents. The goal of an awareness program is often to change attitudes to technology and to help employees appreciate the value of the data and technology they are using. And this takes time and repetition. As you rightly point out, it only takes one employee to ruin all the hard work. At the same time, though, I would prefer my risk to be limited to that one employee, if the remaining 49, for argument’s sake, are alert and aware of the consequences of their actions. Long-term, I believe, there is value in having an educated and alert workforce.

Thanks for your comment.