For the Thousandth Time: Security is About Training Users
Commentary: Security is mostly a people issue, not a technology issue.You can throw as much technology as you want at securing your organization but, when it comes down to it, you dont stand a chance unless your end users are aware that what they door dont dohas a lot to do with how secure your enterprise is. At the 29th Annual Computer Security Conference and Exhibition in Chicago this week, security vendors and consultants kept stressing one point: Security is mostly a people issue, not a technology issue. Here at eWeek Labs, weve written so many stories on the importance of internal security policies, on security training for employees, and on social awareness that IT managers reading these stories probably roll their eyes and think, "Well, duh." But guess what? We continue to receive an inordinate number of letters from IT managers commenting on how idiotic their end users are when it comes to security. If an end user doesnt realize you have to remove a mouse from its packaging in order to use it, can you realistically expect him or her to realize that scribbling a password on a Post-It note tacked to a computer monitor is not what you meant by "safe-keeping?"
Snicker all you want, but its true. Just ask Joe Duffy, Partner-in-Charge of the Security Practice within PriceWaterhouseCoopers Global Risk Management Solutions (GRMS) practice, who has heard his share of security breach scenarios involving employees. Duffy, who at the conference presented a model for figuring out how much security is enough, would be the first to tell you that managers need to consider training when determining how much to budget on security.