Biggest security threat? Your users

Computerworld - Whether it is the FBI's sheepish acknowledgement that at least 10 of the 160 agency laptops that have gone missing in recent years contained "sensitive or classified information" or the drama of retailer TJX's February admission that the incident that put its customer credit card information in the hands of thieves impacted more people than originally thought, security incidents keep making headlines and vexing organizations.

Unfortunately, even the best security technology in the world can't completely protect a company from the biggest vulnerability it has -- its own end users. Security researchers repeatedly label end users the biggest threat to enterprise security. Unlike applications that can be patched or systems that can be hardened, end users -- whether through naivete, carelessness, or malicious intent -- continue to expose IT resources to serious security threats.

"Security is fundamentally a human issue," says Scott Crawford, an analyst at Enterprise Management Associates in Boulder, Colo. "Human nature can be totally unpredictable, so when it comes to IT, the risk posture changes every day."

And as enterprise data becomes more portable and thus more vulnerable to an evolving list of threats, both the dangers and the costs associated with these risks continue to rise. Companies face serious economic consequences from data breaches that can damage their reputations and result in remediation expenses, fines and other costs.

A study conducted by the privacy think tank the Ponemon Institute and funded by security vendors PGP Corp. and Vontu Inc. pegs the cost of a breach at an average of $182 per lost or exposed record. And costs can rise beyond that, depending both on the business the breached company is in and how critical the records are to that organization. For example, data aggregation vendor ChoicePoint Inc., which delivers risk management and fraud information to clients in the insurance industry and other fields, watched its market capitalization plummet $720 million after news that 145,000 consumer accounts were compromised after a breach of its systems.

But while safeguarding networked information in a time when data is so mobile is a challenge, businesses that apply the right security techniques and technologies can successfully protect their resources. This starts with having the best first line of defense possible: an effective set of enforceable enterprise security policies that address how and by whom information should be accessed, stored, transferred and handled. Organizations need to communicate policies to staff members, contractors and partners that have access to this information.

A culture of control

"What you want to do is create in your organization a culture that has security in its core," says Robert Lerner, an analyst at Heavy Reading, a New York-based market research firm. "When you create that, you immediately have a much more secure organization."