Employee awareness: The missing link

Computerworld - What does it mean when 90% of computer users can remember the name of the performer from the last Super Bowl half-time show, but only 60% know when they had last updated their computer security program? Security awareness is not where it should be.
The nonprofit National Cyber Security Alliance released a study with these results and also stated that more than a third of the PC users surveyed said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.
Something isn't right.
In an Ernst & Young study, more than 70% of the1,233 organizations surveyed failed to list training and raising employee awareness of information security issues as a top initiative. Even though 93% of businesses have antivirus software in place, 72% of businesses received infected e-mail files during 2004, and roughly two-thirds of large businesses experienced virus infections or denial-of-service attacks last year. And still, less than half of Ernst & Young's respondents provide their employees with ongoing training in security.
Today's businesses are at severe security risk. Raising business concerns demand proactive intrusion-prevention systems. Central security measures such as firewalls, antivirus software and content filtering assist in protecting company data, but organizations must also realize the value that comes from raising security awareness among their employees. Individuals who have not been properly trained in dealing with Internet threats are responsible for some of the largest security breaches today. According to Meta Group research, 75% of organizations have found that lack of user awareness damages their security programs' effectiveness. Organizations across every industry must take the time to develop a security awareness program, which could turn out to be the missing link -- the most powerful link -- in their chain of defense.
With security intrusion on the rise, information protection is more crucial than ever. And while there is not one universal solution, passive resignation is not the answer either. As businesses become more dependent on technology and the Internet, computer security is becoming increasingly vital, not only to success but to survival as well.
The following guidelines and suggestions will help companies develop an effective employee security-awareness training program, thus fortifying and creating business environments that can fight against unwanted intrusions.

Evaluate current end-user awareness
The first step is to develop a security awareness task force, which may very well be the bridge between development and corporate introduction. A typical task force includes individuals from a variety of areas, including IT security, physical security, corporate