Enterprise Security: Educate Employees or Leave It to Microsoft?

By Don Reisinger  |  Posted 2009-06-25

Enterprise Security: Educate Employees or Leave It to Microsoft?

Quite a few security issues have impacted the business world over the past few months. The Conficker worm was considered a possibly damaging issue. The Nine Ball outbreak looked like it had the potential of unleashing some serious damage on the enterprise after it compromised 40,000 legitimate Websites.  In the meantime, malware has ravaged the Web, causing security firms to find new ways to confront issues. It's a real problem.

The business world knows that. Instead of turning a blind eye to malware, more firms are doing things that, they hope, will limit the amount of malware making its way into the network to threaten mission-critical data. More companies than ever are deploying multiple layers of security, including software solutions, hardware stopgaps, and limits on employee Web traffic. They reason that by stopping the user from accessing malicious sites, blocking that malware before it even gets into the network, and stopping the rest that might squeak their way in by circumventing the other protections through software, it will ensure that security issues might be stopped before they become harmful. Admins are also forcing employees to run with limited rights, so they don't have too much liberty to download (knowingly or not) software that could wreak havoc on the network.

But lost amid all those security initiatives is education. It's not coveted in the enterprise. For the most part, companies are realizing that deploying a solution such as Microsoft Security Essentials, a free software package from Microsoft to protect Windows users, is far more reliable than spending valuable company time trying to educate employees about the dangers of the Web.

For a look at Microsoft Security Essentials, please click here.

On one hand, it makes sense. Companies are trying desperately to grow or maintain their business as the economic downturn continues to impact the world. Spending time educating employees on the dangers of the Internet might not make too much sense, since that time could be better spent getting employees to work. Plus, with all the aforementioned security features in place, companies believe that the number of instances impacting the enterprise aren't so high that educating employees would be all that necessary. Simply put, it's cheaper to not worry about the employees' understanding of Web dangers and deal with issues as they break out, rather than spend time educating employees on items that could be a problem.

More Education, More Security


But is that really the best way to go about business? Many of the issues companies face today are due to the ignorance of employees. If they understand the perils of opening e-mail attachments from an unreliable source, know what phishing is and how to spot it and realize that surfing to particular Websites can cause real dangers, the total amount of malware affecting the Web might be reduced.

Malicious hackers and malware authors mostly engage in their activity to make money. By exploiting employees, it gives them a chance to make some extra cash. And some hackers have made a lucrative career out of doing just that.

But they wouldn't have a business if more people were educated. Employees would be able to recognize issues before they arise. They would know what it would mean to click on a suspect link, and they would be better equipped to handle any outbreaks that would occur. They wouldn't be click-happy users with utter disregard for what the impact could be on company computers. Right now, they don't know and they're fine with that.

And so are companies. That's a shame. An educated work force could improve the entire state of the Web. Once malicious hackers or malware authors realize that more companies have educated employees and they now know what to look out for, the number of instances of malware would undoubtedly be reduced. If there are fewer opportunities to profit off ignorant users, there will be less malware. It's simple logic.

But most (not all!) organizations don't see it that way. They reason that spending time and money on educating employees on basic Internet and e-mail use is a waste of time. It's a short-term view. And it's one that keeps bringing issues into the network.

In the end, any ounce of logic probably won't change that. The security software business is growing at a rapid rate. More security firms than ever are releasing products that will protect the enterprise against malware. And companies are focusing more on making their way out of the economic recession, rather than worry about the long-term security of the network.

It's understandable. But there's always that chance that it could come back to bite the business world.

Rocket Fuel