IT managers turn to training to reduce internal threats

By Eileen Kennedy, News Writer 20 Mar 2007 | SearchWinIT.com

News on enterprise Windows platforms and applications Digg This!     StumbleUpon     Del.icio.us

Hackers have generally shouldered the blame for security breaches, but new research shows that a growing threat comes from within. In 2006, human error accounted for nearly 60% of information security breaches – up from 47% in 2005, according to recent research from the Computing Technology Industry Association, an industry trade group in Oak Terrace, Ill. CompTIA surveyed 574 IT professionals in various fields through a Web-based poll to obtain its results, which it will release in its entirety next month.

More security stories: IT shops balance security with other priorities Many IT managers still dousing security fires IT pros: We can't stop every threat

Despite the rise in threats from human error, the study reported that just 36% of those polled offered security awareness training to their end users. Only 29% required security training for IT staff, the CompTIA study said.

To minimize the danger posed by careless users, IT managers are placing a new emphasis on training. Mark Mrotek, who handles IT security for the computer systems of Peoria, Ariz., said he is in the process of planning security awareness training for city employees.

The plan includes posting information on the city's intranet, putting posters and flyers in break rooms and talking about security during the quarterly open meetings the IT department holds to update people about IT projects. Putting the plan into action is one of his top priorities this year, Mrotek said.

Microsoft makes available free security toolkit

Concerns about internal security by IT managers like Mrotek led Microsoft to develop its free Security Awareness Toolkit.

IT managers kept telling Microsoft that internal risks were a growing problem, said Lori Woehler, Microsoft's director of security outreach in the Trustworthy Computing Group. "We've found that security awareness programs can be one of the most effective and low-cost ways to address such risks, and so we developed guidance and templates to do just that," Woehler said.

The toolkit includes security awareness presentations for non-IT employees and templates for brochures, email invitations, newsletters, posters and PowerPoint presentations. There are also sample templates that can be used to train IT staff, she said.

Companies offer training packages

Symantec Corp. and Mission Viejo, Calif.-based Foundstone Inc., a division of McAfee Inc., are among a number of companies that offer in-depth security training packages that range in price.

Based in Cupertino, Calif., Symantec offers a bundle of Web-based courses with 10 modules priced on a per-user basis. Its services include customizing course content and existing company policies and procedures.

"About four years ago we started receiving comments from customers telling us they needed training for their employees," said Luis Navarro, a Symantec consultant in its security awareness practice. The emphasis of the Sarbanes-Oxley and HIPPA regulations on security training for employees also played a part in the decision to offer the training, Navarro said.

Foundstone offers security awareness training for non-IT workers as well as training on hacking and security defense for IT workers. "We all know the weakest link in the chain is people, not technology," said Bill Hau, vice president of Foundstone professional services.

Tags: IT Career Development and Training,  Enterprise Infrastructure Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary A+  (SearchWinIT.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary