Is your enterprise a security thicko?
Security training needs to be much more targeted if it is to be successful, argues Davey Winder.
"A lot of companies tend to treat IT security education in isolation. Whereas it should form part of a company's overall training schedule. It should also be integrated into its culture and ethos," Robinson points out. In essence, it requires a culture and ethos that should involve people making sensible choices, to be frank.
One of the sensible choices, according to Stephen Bonner, a partner in KPMG's information protection business resilience team, might be in changing the term security awareness itself as this can suggest something done to an individual.
"Campaigns work best when people understand why it's important to the business to be sensible about security," Bonner insists. "[And] why it benefits them as an individual to do the right thing."
It also helps if the security policies are realistic about their expectations of user behaviour in the first place. And realistic about memory retention for that matter. Even when IT security training is provided for every employee, it's often not reaffirmed which means it could go in one ear and out the other very quickly.
"Enterprises should look to provide daily or weekly security tips to all employees and refresh or even test their knowledge on a quarterly basis to remain confident that their staff are up to date on the latest threats," says Chris Jenkins, European general manager for security at Dimension Data. Although I'm not sure daily security tips would get much real attention after a very short period of time. More likely, they would just get lost in the sea of other emails and communications. The quarterly refreshers, on the other hand, sounds eminently practical. None of which is to say that enterprises in general don't train staff in security matters as part of the induction process, and most medium-to-large organisations have significantly increased the amount of ongoing training they provide by way annual updates and the like.
"It does seem though that this is often driven for reasons of compliance to standards," warns Terry Greer-King, director of security at Cisco in the UK and Ireland. He continues: "Rather than a deep seated desire to improve things and there is significant room for improvement."
One area ripe for improvement is that the key focus of training is all too often misplaced, with staff perceiving that security is for the business to sort out with the relevant tools and restraints to support it. It's this failure to involve staff properly which is seen by many as the problem. "Failure to involve users as educated participants in security creates a fractured relationship and this fundamental disconnect, which applies across many businesses, leads to the failure to involve staff in risk awareness and assessment," insists Ian Kilpatrick, chairman of Wick Hill Group.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.