IT managers are looking to outside sources to help educate users who are oblivious about how their actions put corporate networks at risk.
Hackers have generally shouldered the blame for security breaches, but new research shows that a growing threat comes from within. In 2006, human error accounted for nearly 60% of information security breaches – up from 47% in 2005, according to recent research from the Computing Technology Industry Association, an industry trade group in Oak Terrace, Ill. CompTIA surveyed 574 IT professionals in various fields through a Web-based poll to obtain its results, which it will release in its entirety next month.
Despite the rise in internal threats from human error, the study reported that just 36% of those polled offered security awareness training to their end users. Only 29% required security training for IT staff, the CompTIA study said.
To minimize the danger posed by careless users, IT managers are placing a new emphasis on training. Mark Mrotek, who handles IT security for the computer systems of Peoria, Ariz., said he is in the process of planning security awareness training for city employees.
The plan includes posting information on the city's intranet, putting posters and flyers in break rooms and talking about security during the quarterly open meetings the IT department holds to update people about IT projects. Putting the plan into action is one of his top priorities this year, Mrotek said.
Microsoft makes available free security toolkit
Concerns about internal security by IT managers like Mrotek led Microsoft to develop its free Security Awareness Toolkit.
IT managers kept telling Microsoft that internal risks were a growing problem, said Lori Woehler, Microsoft's director of security outreach in the Trustworthy Computing Group. "We've found that security awareness programs can be one of the most effective and low-cost ways to address such risks, and so we developed guidance and templates to do just that," Woehler said.
The toolkit includes security awareness presentations for non-IT employees and templates for brochures, email invitations, newsletters, posters and PowerPoint presentations. There are also sample templates that can be used to train IT staff, she said.
Companies offer training packages
Symantec Corp. and Mission Viejo, Calif.-based Foundstone Inc., a division of McAfee Inc., are among a number of companies that offer in-depth security training packages that range in price.
Based in Cupertino, Calif., Symantec offers a bundle of Web-based courses with 10 modules priced on a per-user basis. Its services include customizing course content and existing company policies and procedures.
"About four years ago we started receiving comments from customers telling us they needed training for their employees," said Luis Navarro, a Symantec consultant in its security awareness practice. The emphasis of the Sarbanes-Oxley and HIPPA regulations on security training for employees also played a part in the decision to offer the training, Navarro said.
Foundstone offers security awareness training for non-IT workers as well as training on hacking and security defense for IT workers. "We all know the weakest link in the chain is people, not technology," said Bill Hau, vice president of Foundstone professional services.