Comment Article
ITAnalysis – Ignorance is not bliss
As we enter 2009, most of us are tightening our
belts as budgets are slashed and projects put on
hold. But security threats continue to rise. In
2008, the Internet Theft Resource Center
estimates that 35 million data records were
breached in the US alone, the majority of which
were neither encrypted nor protected by a
password. Such a sad state of affairs shows that
security practices and awareness remain low,
and that this will lead to hackers continuing to
prey on organisations. Even as organisations do
close off the obvious security holes, the number
of threats that a business faces continues to
grow—from malware attacks to social
engineering.
Even an organisation that has carefully
established an enterprise-wide security
programme could still find itself at risk. It may
have developed security plans, put in place
controls to limit access to systems and
information, as well as proactively managing
network configurations, and maintaining
operations plans for key information systems.
But the best laid plans can have gaps—and
numerous studies have shown that people are
often the weakest link, with the insider threat
still the greatest for most organisations. If any
weaknesses remain, a malicious or careless
employee can circumvent poorly policed controls,
increasing the risk of unauthorised access to and
disclosure, modification or destruction of
sensitive information, or disruption to systems
operations and services.
What is needed is the encouragement of
proactive behaviour, which should of course be
backed up with controls. Only when employees
are made aware of what is expected of them and
understand how inappropriate behaviour can
negatively impact the organisation are they likely
to think about the consequences of their actions.
For example, most users are now aware of the
security threats faced when opening an email
attachment from an unknown source without
scanning it first, but many still fail to realise the
© 2009 Quocirca Ltd http://www.quocirca.com
By Fran Howarth, principal analyst, Quocirca Ltd
dangers of taking work home to personal
computers that may not have the same security
level as a corporate-issued machine or of
downloading software from the internet.
The Office of Management and Budget (OMB),
part of the US government, issued a report in
2007 entitled Common risks impeding the
adequate protection of government information
in which it identified the top ten risks. In top
position on the list was the risk that security and
privacy training is inadequate and poorly aligned
with the different roles and responsibilities of the
various personnel involved. The findings of the
OMB are no less applicable to private industry.
Indeed, ENISA, the European Network and
Information Security Agency, concurs with the
OMB, stating that awareness of the risks and
available safeguards is the first line of defence
for the security of information systems and
networks.
If that is not enough to convince, then consider
the following: if your organisation is subject to
any of the following regulations—HIPAA,
Sarbanes-Oxley, FISMA, GLBA or the PCI DSS
standards—some level of security awareness
training for employees is mandatory. Some of
these requirements are specific in nature, whilst
others stipulate that safeguards need to be put
in place that are appropriate according to the
size and type of organisation.
Historically, security awareness training is an
area that has received scant attention. The
Business Software Alliance (BSA) recently
conducted a survey that found that employee
awareness was a major challenge for 64% of
respondents, all of which were from large
organisations, when implementing an
information security programme, with only 16%
feeling that their employees were adequately
trained. One of the key reasons for this can be
found in the results of the Computer crime and
security survey of 2007 undertaken by the
Computer Security Institute. It found that almost
half of respondents spend less that 1% of the IT
+44 118 948 3360
 Comment Article
security budgets on awareness training. Too
many organisations have had their heads in the
sand.
However, security has recently emerged from
being a grudge purchase to fix a problem that
has occurred and is now increasingly being seen
as a business enabler. This is leading many
organisations to realise the importance of
security awareness training and Quocirca has
noticed a sharp uptick among organisations that
it has spoken to in terms of putting awareness
programmes in place. Yet, if so many of the
respondents to the BSA survey referenced above
feel their employees are inadequately trained,
what constitutes best practices?
Quocirca recently spoke to technology vendor
Symantec about its in-house security awareness
training programme for employees, which it is
now also offering as a package to external
organisations. To be effective, any programme
must encompass all employees in the
organisation, including consultants and
contractors, and must be tailored to provide
training relevant for each role in the
organisation. This is backed up with
conversations with other organisations, which
started their programme by defining the different
roles in the organisation, from those handling
customer payments to IT development staff.
that they understand exactly what is expected of
them, and why actions are being carried out.
Any training must address the complete range of
security issues facing organisations—including
information protection, social engineering,
remote worker security, virus and malware
protection, password security, web, email and
instant messaging security, mobile and phone
security, and physical security. It must also be
flexible enough to be extended to address new
threats and attack vectors as they come to light.
When prioritising budgets for 2009,
organisations should realise that throwing a
technology solution at a problem is not enough
to secure their assets. Rather, employees need
to be aware of the part that they have to play in
minimising the risks that the organisation faces.
Only when technology, people and processes are
working in sync can an organisation be sure that
its security investments are truly effective.

Symantec, and its clients to which it sells

security awareness training programmes,
emphasises that web-based training is not only
the most cost-effective method of training, but it
also brings the best results as employees can
study at a time that they choose, with an audit
trail generated as to where all employees are in
the programme. It must also be impressed that
initial training should be provided for all new
hires, backed up with continual reminders in the
form of posters, screensavers and reminder
cards, as well as conducting post-training
assessments to gauge the effectiveness of the
programme and refresher courses. If the web-
based system is also backed up with
collaborative communication tools, employees
can ask their peers when they do not understand
things, or can interact with dedicated personnel
working within the areas under study to ensure

© 2009 Quocirca Ltd http://www.quocirca.com +44 118 948 3360

 Comment Article

About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology
and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the
views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-
world practitioners with first hand experience of ITC delivery who continuously research and track the industry
and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and
political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in
any implementation. This capability to uncover and report back on the end-user perceptions in the market enables
Quocirca to advise on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC
has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s
mission is to help organisations improve their success rate in process enablement through better levels of
understanding and the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC
products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of
long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise
that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox, EMC,
Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist
firms.

Details of Quocirca’s work and the services it offers can be found at

http://www.quocirca.com

© 2009 Quocirca Ltd http://www.quocirca.com +44 118 948 3360