Is your enterprise a security thicko?
Security training needs to be much more targeted if it is to be successful, argues Davey Winder.
"A lot of companies tend to treat IT security education in isolation. Whereas it should form part of a company's overall training schedule. It should also be integrated into its culture and ethos," Robinson points out. In essence, it requires a culture and ethos that should involve people making sensible choices, to be frank.
One of the sensible choices, according to Stephen Bonner, a partner in KPMG's information protection business resilience team, might be in changing the term security awareness itself as this can suggest something done to an individual.
"Campaigns work best when people understand why it's important to the business to be sensible about security," Bonner insists. "[And] why it benefits them as an individual to do the right thing."
It also helps if the security policies are realistic about their expectations of user behaviour in the first place. And realistic about memory retention for that matter. Even when IT security training is provided for every employee, it's often not reaffirmed which means it could go in one ear and out the other very quickly.
"Enterprises should look to provide daily or weekly security tips to all employees and refresh or even test their knowledge on a quarterly basis to remain confident that their staff are up to date on the latest threats," says Chris Jenkins, European general manager for security at Dimension Data. Although I'm not sure daily security tips would get much real attention after a very short period of time. More likely, they would just get lost in the sea of other emails and communications. The quarterly refreshers, on the other hand, sounds eminently practical. None of which is to say that enterprises in general don't train staff in security matters as part of the induction process, and most medium-to-large organisations have significantly increased the amount of ongoing training they provide by way annual updates and the like.
"It does seem though that this is often driven for reasons of compliance to standards," warns Terry Greer-King, director of security at Cisco in the UK and Ireland. He continues: "Rather than a deep seated desire to improve things and there is significant room for improvement."
One area ripe for improvement is that the key focus of training is all too often misplaced, with staff perceiving that security is for the business to sort out with the relevant tools and restraints to support it. It's this failure to involve staff properly which is seen by many as the problem. "Failure to involve users as educated participants in security creates a fractured relationship and this fundamental disconnect, which applies across many businesses, leads to the failure to involve staff in risk awareness and assessment," insists Ian Kilpatrick, chairman of Wick Hill Group.
In This Article
B2B under quarantine
Key B2C e-commerce features B2B need to adopt to surviveDownload now
The top three IT pains of the new reality and how to solve them
Driving more resiliency with unified operations and service managementDownload now
The five essentials from your endpoint security partner
Empower your MSP business to operate efficientlyDownload now
How fashion retailers are redesigning their digital future
Fashion retail guideDownload now