Ask marketing and they will tell you that organising a seminar is still a great way to promote your organisation and attract business. “Be prepared though” they will add, “for about 30 per cent of those accepting an invitation to fail to turn up.” Not so though, with a company like Symantec or its counterparts. The secret is in the importance of the message. Security and risk management are the concerns of all. Expect to find all name tags taken if you’re the last to arrive at their event. The problem though, in terms of spreading the message, is those often left off the invite list – the end users. In what seems now like a mythical past, (although I am assured by those more senior than I that it actually took place) it was entirely reasonable to leave home and not close the door, or at least not to lock it. But at some point, shortly after we were told that “we have never had it so good,” it all changed. Perceived and actual threats to our security moved us to change our behaviour. The same thing is happening in business now. Only a few short years ago it was sufficient for the average SME to have a robust antivirus policy and system in place. Only government agencies and the likes of Microsoft were targets of more serious forms of attack. We merely needed to watch for the spread of mass viruses, worms, or Trojans, apply the necessary patch, and we could sleep well at night. However, the once bravado and attention-seeking nature of the “latest global virus” has been superseded by more lucrative criminal activity. It’s all about money - obtaining other peoples’ hard-earned cash illegally and exploiting company data. The training of end users in security and risk management should be as prominent in the introduction of a new security package as it is in the introduction of an enterprise resource planning (ERP) system. No business would go to the expense, time, and effort, of implementing a new business-wide application without ensuring the complete buy-in of its staff. It is no criticism of the security and risk management vendors but a failure of senior management to think that they can merely cover their backs by saying they are “on the latest version.” Technology alone will never be the answer. Online criminals do not wear black and white stripped tops and eye-masks. They wear the clothes of respectability and understand human nature very well, and exploit it. Senior management need to instruct end users on the need to lock the door on leaving the house – or at least to make sure it is closed. Whereas those Symantec meetings are filled to the brim with IT directors and IT managers seeking guidance on best practice, technologies, solutions, and processes, it is the end users blissfully unaware that they are still leaving the door open, and in some cases inviting in the unwelcome stranger, that really need to be there.