Is your enterprise a security thicko?

Security training needs to be much more targeted if it is to be successful, argues Davey Winder.

"A lot of companies tend to treat IT security education in isolation. Whereas it should form part of a company's overall training schedule. It should also be integrated into its culture and ethos,"  Robinson points out. In essence, it requires a culture and ethos that should involve people making sensible choices, to be frank.

One of the sensible choices, according to Stephen Bonner, a partner in KPMG's information protection business resilience team, might be in changing the term security awareness itself as this can suggest something done to an individual.

"Campaigns work best when people understand why it's important to the business to be sensible about security," Bonner insists. "[And] why it benefits them as an individual to do the right thing."

It also helps if the security policies are realistic about their expectations of user behaviour in the first place. And realistic about memory retention for that matter. Even when IT security training is provided for every employee, it's often not reaffirmed which means it could go in one ear and out the other very quickly.

"Enterprises should look to provide daily or weekly security tips to all employees and refresh or even test their knowledge on a quarterly basis to remain confident that their staff are up to date on the latest threats," says Chris Jenkins, European general manager for security at Dimension Data. Although I'm not sure daily security tips would get much real attention after a very short period of time. More likely, they would just get lost in the sea of other emails and communications. The quarterly refreshers, on the other hand, sounds eminently practical. None of which is to say that enterprises in general don't train staff in security matters as part of the induction process, and most medium-to-large organisations have significantly increased the amount of ongoing training they provide by way annual updates and the like.

"It does seem though that this is often driven for reasons of compliance to standards," warns Terry Greer-King, director of security at Cisco in the UK and Ireland. He continues: "Rather than a deep seated desire to improve things and there is significant room for improvement."

One area ripe for improvement is that the key focus of training is all too often misplaced, with staff perceiving that security is for the business to sort out with the relevant tools and restraints to support it. It's this failure to involve staff properly which is seen by many as the problem. "Failure to involve users as educated participants in security creates a fractured relationship and this fundamental disconnect, which applies across many businesses, leads to the failure to involve staff in risk awareness and assessment," insists Ian Kilpatrick, chairman of Wick Hill Group.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021