Ignorance Is Not Bliss
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Ignorance Is Not Bliss as PDF for free.
More details
- Words: 1,438
- Pages: 3
Comment Article ITAnalysis – Ignorance is not bliss By Fran Howarth, principal analyst, Quocirca Ltd
As we enter 2009, most of us are tightening our belts as budgets are slashed and projects put on hold. But security threats continue to rise. In 2008, the Internet Theft Resource Center estimates that 35 million data records were breached in the US alone, the majority of which were neither encrypted nor protected by a password. Such a sad state of affairs shows that security practices and awareness remain low, and that this will lead to hackers continuing to prey on organisations. Even as organisations do close off the obvious security holes, the number of threats that a business faces continues to grow—from malware attacks to social engineering. Even an organisation that has carefully established an enterprise-wide security programme could still find itself at risk. It may have developed security plans, put in place controls to limit access to systems and information, as well as proactively managing network configurations, and maintaining operations plans for key information systems. But the best laid plans can have gaps—and numerous studies have shown that people are often the weakest link, with the insider threat still the greatest for most organisations. If any weaknesses remain, a malicious or careless employee can circumvent poorly policed controls, increasing the risk of unauthorised access to and disclosure, modification or destruction of sensitive information, or disruption to systems operations and services. What is needed is the encouragement of proactive behaviour, which should of course be backed up with controls. Only when employees are made aware of what is expected of them and understand how inappropriate behaviour can negatively impact the organisation are they likely to think about the consequences of their actions. For example, most users are now aware of the security threats faced when opening an email attachment from an unknown source without scanning it first, but many still fail to realise the
© 2009 Quocirca Ltd
dangers of taking work home to personal computers that may not have the same security level as a corporate-issued machine or of downloading software from the internet. The Office of Management and Budget (OMB), part of the US government, issued a report in 2007 entitled Common risks impeding the adequate protection of government information in which it identified the top ten risks. In top position on the list was the risk that security and privacy training is inadequate and poorly aligned with the different roles and responsibilities of the various personnel involved. The findings of the OMB are no less applicable to private industry. Indeed, ENISA, the European Network and Information Security Agency, concurs with the OMB, stating that awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks. If that is not enough to convince, then consider the following: if your organisation is subject to any of the following regulations—HIPAA, Sarbanes-Oxley, FISMA, GLBA or the PCI DSS standards—some level of security awareness training for employees is mandatory. Some of these requirements are specific in nature, whilst others stipulate that safeguards need to be put in place that are appropriate according to the size and type of organisation. Historically, security awareness training is an area that has received scant attention. The Business Software Alliance (BSA) recently conducted a survey that found that employee awareness was a major challenge for 64% of respondents, all of which were from large organisations, when implementing an information security programme, with only 16% feeling that their employees were adequately trained. One of the key reasons for this can be found in the results of the Computer crime and security survey of 2007 undertaken by the Computer Security Institute. It found that almost half of respondents spend less that 1% of the IT
http://www.quocirca.com
+44 118 948 3360
Comment Article security budgets on awareness training. Too many organisations have had their heads in the sand. However, security has recently emerged from being a grudge purchase to fix a problem that has occurred and is now increasingly being seen as a business enabler. This is leading many organisations to realise the importance of security awareness training and Quocirca has noticed a sharp uptick among organisations that it has spoken to in terms of putting awareness programmes in place. Yet, if so many of the respondents to the BSA survey referenced above feel their employees are inadequately trained, what constitutes best practices? Quocirca recently spoke to technology vendor Symantec about its in-house security awareness training programme for employees, which it is now also offering as a package to external organisations. To be effective, any programme must encompass all employees in the organisation, including consultants and contractors, and must be tailored to provide training relevant for each role in the organisation. This is backed up with conversations with other organisations, which started their programme by defining the different roles in the organisation, from those handling customer payments to IT development staff.
that they understand exactly what is expected of them, and why actions are being carried out. Any training must address the complete range of security issues facing organisations—including information protection, social engineering, remote worker security, virus and malware protection, password security, web, email and instant messaging security, mobile and phone security, and physical security. It must also be flexible enough to be extended to address new threats and attack vectors as they come to light. When prioritising budgets for 2009, organisations should realise that throwing a technology solution at a problem is not enough to secure their assets. Rather, employees need to be aware of the part that they have to play in minimising the risks that the organisation faces. Only when technology, people and processes are working in sync can an organisation be sure that its security investments are truly effective.
Symantec, and its clients to which it sells security awareness training programmes, emphasises that web-based training is not only the most cost-effective method of training, but it also brings the best results as employees can study at a time that they choose, with an audit trail generated as to where all employees are in the programme. It must also be impressed that initial training should be provided for all new hires, backed up with continual reminders in the form of posters, screensavers and reminder cards, as well as conducting post-training assessments to gauge the effectiveness of the programme and refresher courses. If the webbased system is also backed up with collaborative communication tools, employees can ask their peers when they do not understand things, or can interact with dedicated personnel working within the areas under study to ensure
© 2009 Quocirca Ltd
http://www.quocirca.com
+44 118 948 3360
Comment Article
About Quocirca Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of realworld practitioners with first hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox, EMC, Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist firms.
Details of Quocirca’s work and the services it offers can be found at http://www.quocirca.com
© 2009 Quocirca Ltd
http://www.quocirca.com
+44 118 948 3360
As we enter 2009, most of us are tightening our belts as budgets are slashed and projects put on hold. But security threats continue to rise. In 2008, the Internet Theft Resource Center estimates that 35 million data records were breached in the US alone, the majority of which were neither encrypted nor protected by a password. Such a sad state of affairs shows that security practices and awareness remain low, and that this will lead to hackers continuing to prey on organisations. Even as organisations do close off the obvious security holes, the number of threats that a business faces continues to grow—from malware attacks to social engineering. Even an organisation that has carefully established an enterprise-wide security programme could still find itself at risk. It may have developed security plans, put in place controls to limit access to systems and information, as well as proactively managing network configurations, and maintaining operations plans for key information systems. But the best laid plans can have gaps—and numerous studies have shown that people are often the weakest link, with the insider threat still the greatest for most organisations. If any weaknesses remain, a malicious or careless employee can circumvent poorly policed controls, increasing the risk of unauthorised access to and disclosure, modification or destruction of sensitive information, or disruption to systems operations and services. What is needed is the encouragement of proactive behaviour, which should of course be backed up with controls. Only when employees are made aware of what is expected of them and understand how inappropriate behaviour can negatively impact the organisation are they likely to think about the consequences of their actions. For example, most users are now aware of the security threats faced when opening an email attachment from an unknown source without scanning it first, but many still fail to realise the
© 2009 Quocirca Ltd
dangers of taking work home to personal computers that may not have the same security level as a corporate-issued machine or of downloading software from the internet. The Office of Management and Budget (OMB), part of the US government, issued a report in 2007 entitled Common risks impeding the adequate protection of government information in which it identified the top ten risks. In top position on the list was the risk that security and privacy training is inadequate and poorly aligned with the different roles and responsibilities of the various personnel involved. The findings of the OMB are no less applicable to private industry. Indeed, ENISA, the European Network and Information Security Agency, concurs with the OMB, stating that awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks. If that is not enough to convince, then consider the following: if your organisation is subject to any of the following regulations—HIPAA, Sarbanes-Oxley, FISMA, GLBA or the PCI DSS standards—some level of security awareness training for employees is mandatory. Some of these requirements are specific in nature, whilst others stipulate that safeguards need to be put in place that are appropriate according to the size and type of organisation. Historically, security awareness training is an area that has received scant attention. The Business Software Alliance (BSA) recently conducted a survey that found that employee awareness was a major challenge for 64% of respondents, all of which were from large organisations, when implementing an information security programme, with only 16% feeling that their employees were adequately trained. One of the key reasons for this can be found in the results of the Computer crime and security survey of 2007 undertaken by the Computer Security Institute. It found that almost half of respondents spend less that 1% of the IT
http://www.quocirca.com
+44 118 948 3360
Comment Article security budgets on awareness training. Too many organisations have had their heads in the sand. However, security has recently emerged from being a grudge purchase to fix a problem that has occurred and is now increasingly being seen as a business enabler. This is leading many organisations to realise the importance of security awareness training and Quocirca has noticed a sharp uptick among organisations that it has spoken to in terms of putting awareness programmes in place. Yet, if so many of the respondents to the BSA survey referenced above feel their employees are inadequately trained, what constitutes best practices? Quocirca recently spoke to technology vendor Symantec about its in-house security awareness training programme for employees, which it is now also offering as a package to external organisations. To be effective, any programme must encompass all employees in the organisation, including consultants and contractors, and must be tailored to provide training relevant for each role in the organisation. This is backed up with conversations with other organisations, which started their programme by defining the different roles in the organisation, from those handling customer payments to IT development staff.
that they understand exactly what is expected of them, and why actions are being carried out. Any training must address the complete range of security issues facing organisations—including information protection, social engineering, remote worker security, virus and malware protection, password security, web, email and instant messaging security, mobile and phone security, and physical security. It must also be flexible enough to be extended to address new threats and attack vectors as they come to light. When prioritising budgets for 2009, organisations should realise that throwing a technology solution at a problem is not enough to secure their assets. Rather, employees need to be aware of the part that they have to play in minimising the risks that the organisation faces. Only when technology, people and processes are working in sync can an organisation be sure that its security investments are truly effective.
Symantec, and its clients to which it sells security awareness training programmes, emphasises that web-based training is not only the most cost-effective method of training, but it also brings the best results as employees can study at a time that they choose, with an audit trail generated as to where all employees are in the programme. It must also be impressed that initial training should be provided for all new hires, backed up with continual reminders in the form of posters, screensavers and reminder cards, as well as conducting post-training assessments to gauge the effectiveness of the programme and refresher courses. If the webbased system is also backed up with collaborative communication tools, employees can ask their peers when they do not understand things, or can interact with dedicated personnel working within the areas under study to ensure
© 2009 Quocirca Ltd
http://www.quocirca.com
+44 118 948 3360
Comment Article
About Quocirca Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of realworld practitioners with first hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox, EMC, Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist firms.
Details of Quocirca’s work and the services it offers can be found at http://www.quocirca.com
© 2009 Quocirca Ltd
http://www.quocirca.com
+44 118 948 3360
Related Documents
Ignorance Is Not Bliss
May 2020 16
Education Is Ignorance
November 2019 20
Ignorance
November 2019 40
Ignorance Does Not Excuse Sin
June 2020 8
Bliss
June 2020 14