Computerworld - From time to time, all security managers have to ask themselves, What is our weakest link? Is it our susceptibility to hackers and being the victims of a highly visible security breach, or is it insider threats? I had to think long and hard about that recently so that I could choose between investing in more security technology and investing in more security awareness training.
Buying technology is always tempting. Who doesn’t want cool new toys to play with? But I had to be realistic and look at the facts. For example, my recent request for money for additional security hardware and software had received only tentative approval. What’s more, I had not yet completed several key security projects. There was no question that I had to finish all the things I had begun before I would be given more money. Even if I drew up a proposal that made perfect sense and addressed a real problem, the fact remained that I already had a lot on my plate. I needed to prove the effectiveness of the technologies already being deployed before asking for more. I would look like a little kid asking for more ice cream before finishing the first serving.
Instead, I did a little research and found that, statistically speaking, end users are the biggest security threat in the enterprise. According to Symantec’s latest Internet Security Threat Report, “Attackers see end users as the weakest link in the security chain and are constantly targeting them in an effort to profit.”
While Symantec’s report focuses primarily on the threats that home users face, users are the weakest link for corporations and government agencies. That has been my experience as well. I might want to spend my agency’s money on cool security technologies, but that isn’t necessarily going to give me the biggest bang for the buck.
With that in mind, I turned my focus to security awareness training.
Or rather, I returned my focus to it. I had planned a fabulous security awareness program about a year ago, but I had no resources to implement it. It’s been at the back of my mind since then, and now, suddenly, here was an opportunity to go ahead with it. I would have to get the plan down on paper.
Step 1 in that process was to outline the topics to be covered. The general focus areas I chose are acceptable-use policies, computer and network security, physical security, protected health information and remote security. I decided that acceptable use should be the first topic because it relates directly to end-user do’s and don’ts.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
