Security Education Because the Weakest Link in the Chain Still Sits Behind the Keyboard
It is an old adage in security that the weakest link in the chain sits behind the keyboard. Even in today’s world of ever more complex and costly security breaches, careful investigation reveals that it is usually a simple case of user error that plays a prominent role in the success of a the breach.
While many times the human error is a mistake made by clicking on a link that should not be clicked or some other mistake, there is a whole additional class of error that is as simple as not patching a known vulnerability or updating malware or firewall rules. Sometimes the error is by a single user who may not even be in the IT department, but even IT folks are guilty of silly mistakes.
The issue is that while we spend an ever increasing amount of money on the latest security technologies, we don’t spend enough on security education. In the midmarket this is especially true. To put this problem in perspective let me give you some statistics from the Verizon Data Breach Report of 2012:
96% of attacks were not highly difficult
97% of breaches were avoidable through simple or
That is right, 96 to 97% of data breaches could have been avoided without too much effort. Exactly what percentage would have been avoided with better security awareness and education of both non-IT and IT personnel is hard to say. But suffice to say that a good chunk of them could have been.
This security awareness and education issue tends to hit the midmarket hardest. With limited budgets and a “lot of catching up to do”, so much attention regarding security is paid to getting the latest and greatest technology, putting a layered solution in place or even the outsourcing of security to an MSSP. However, while you can get all of the latest appliances and solutions and even outsource security, you cannot outsource awareness.
The best advice for mid-market companies is don’t ignore or under-resource your security awareness training. Just because someone is IT savvy does not mean they are security savvy. Security may not be a top of mind issue for them. Non-IT people may not realize how easy it is for criminals to gain access to your organizations network through innocent seeming links on social media for instance.
The good news is that security education and security awareness is usually not as expensive as buying new security products. It is more a “state of mind” then a particular product.
So with the New Year, it is time for new thinking. Take the time to think about and implement a security awareness program in your midmarket organization. It may well be the best and most effective thing you are going to do to make your organization more secure this year!
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.