Page II: Despite their role as the last gatekeeper of IT security, many employees lack training and understanding.
"Security is a process, and while technologies are important to facilitate the process, the technology itself does not ensure that you are secure," Thompson said. "A case in point: There is a technology, a simple technology associated with securing your house, it's called a lock. But if you, a user, do not facilitate the process, or lock the door when you walk out of your house, having the technology installed is of no value. And so the process starts with first having you be aware of how you secure your home, what threats you need to protect yourself from."
Thompson said that given a fixed budget, companies should first invest in a corporate security policy and staff training, before purchasing security products.
Leading a horse to water
Some companies, however, have taken the initiative to educate their work force, beyond having a security policy in an employee manual or posted on an internal Web site.
Historically, companies have viewed the issue of security and anti-virus protection as a problem for their IT departments. And employees at these companies have held a similar view, said IT managers and security officers.
But the tide seems to be turning, even among employees.
"Employees are now concerned with who has access to their data and are also asking questions about whether our backup tapes are adequate," said Breth. "Now they're taking ownership of the data and making sure it's secure, rather than just saying it's the IT department's problem."
Breth noted the new privacy regulations are helping to drive the increase in employee awareness and participation.
Westfield's chief executive has also brought up the issue of IT security during the past two companywide meetings, and that has helped set the tone for visibility on the issue, Breth added.
"Over the past six months, the level of communication we've had with employees has ramped up, and people are being told about the role they play in keeping the whole company secure," Breth said. "Instead of a printed policy inside our employee manual that they read on their first day but then it sits on the shelf, we're now e-mailing people our policy, and they're hearing about it at our quarterly meetings."
Westfield is also supplying its employees with frequent security and anti-virus tips that go beyond avoiding unsolicited e-mail attachments.
Convergys, meanwhile, posts a security newsletter on its intranet every two weeks, displays security-related posters throughout the workplace and is currently working on making some of its security and anti-virus training mandatory, as well as requiring some familiarity with the company's security policy as part of the annual review process, Moore said.
"The big problem with educating employees on security issues is being able to track whether you're getting through to people," Moore lamented. "Everyone knows about viruses, for example, but half the people don't have anti-virus software. They're the ones who become the (spam) zombies and infect the entire human race."
10%
8%
Interesting article but it really only addressed the dangers of email and viruses. the real danger is the "trusted employee" who brings in his own data files or software. At my work i have found this to be the largest problem and as such we are currently trialing some new software from apreo, which seems to be doing the trick