Information security policies upended by untrained end users

By Shamus McGillicuddy, News Writer 29 Jan 2008 | SearchCIO-Midmarket.com

Technology news and tips for midmarket CIOs Digg This!     StumbleUpon     Del.icio.us

More on information security Security outlook challenging for SMBs in 2008 New security tools best left to big companies, not SMBs

A survey sponsored by security vendor GFI Software Ltd. revealed that midmarket CIOs don't want a bigger security budget. They want educated employees.

GFI's survey asked IT leaders at 455 small and midmarket businesses in the U.S. what would help improve the level of security at their companies. Only 12% said a larger budget would help. Forty-eight percent chose better awareness of information security policies among employees, and another 25% said better awareness of security among senior management was key.

Clearly this is contributing to their general feeling of insecurity, because 42% of survey respondents said they do not consider their networks to be secure -- even though 96% have antivirus technology in place and 93% have firewalls installed.

In fact, new research from New York-based AMI Partners Inc. has revealed that midmarket companies spent 17% more on security in 2007 than they did in 2006.

"They see the end user as the weakest link," said David Kelleher, project leader for research and surveys at San Gwann, Malta-based GFI. "The proliferation of these social networking sites has created more and more problems for administrators. These employees are spending their lunch break updating profiles and downloading files and clicking links. There's always the risk of clicking a link that takes you to a malicious Web site."

Kelleher said midmarket companies have information security policies, but there isn't a good level of communication between IT and end users. End users don't understand the reasoning behind the policies, nor how IT plans to enforce them.

Kelleher said CIOs should make sure new employees go through a rigorous induction course that explains what they can and can't do on the network. He said IT should also lean on vendors and resellers for education on security issues, particularly for educating senior management.

You can do all the training you want, but people are just going to be stupid and you're not going to be able to do much about it. Gary Chen senior analyst, Yankee Group Research Inc.

"Certainly end users are a big hole for most people, because end users are not going to be your most technically competent people," said Gary Chen, a senior analyst at Boston-based Yankee Group Research Inc. "And a lot of attacks today rely on the gullibility of users to click on a link."

Chen said it's important to educate end users, but he's not sure it will really do any good.

"I guess I'm not truly convinced that you can seriously make a dent in that problem," he said. "You can do all the training you want, but people are just going to be stupid and you're not going to be able to do much about it."

Chen said small and midmarket companies should strive to implement technologies that assume the user is going to do the wrong thing. He said these companies should look to vendors who offer integrated security services or managed services.

"There's just so many security technologies, and SMBs just don't have the time to research every new threat," Chen said. "What they need is to integrate stuff, to buy one service or device to handle everything instead of getting this product for this problem and that product for that problem. I think the offerings are falling behind. SMBs are falling behind on security. I don't think they're keeping up. They are losing the war. But there are a lot of services being put together now."

Kelleher added, "I think too many SMBs are worried about viruses and spam. They need to start looking beyond. There are many, many more threats and they have to be more proactive. They can't wait for something to happen. They basically need to take out an insurance policy because ultimately security is a cost of doing business."

Tags: Information security management for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Gartner: Vetting security of third-party partners in five steps Locking down security in the move to electronic medical records Security and risk management in the midmarket Identity and access management planning guide for the midmarket Information systems management for the midmarket CIOs share advice on doing more with less Get smart about patching security vulnerabilities A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary