Security Training 101
Installing the latest security hardware and software means nothing if end users don't practice cyber safety. And the best way to get end users to 'think security' is to create an ongoing culture of security at your company.
Mon, April 27, 2009
Network World — Installing the latest security hardware and software means nothing if end users don't practice cyber safety. And the best way to get end users to 'think security' is to create an ongoing culture of security at your company.
Podcast: Selling security without using scare tacticsRead how New York is handling phishing.
"Security awareness isn't one of those things that organizations do for fun. It's 24/7 and accountability starts with the CEO and is pushed to all corners of the organization," says Larry Ponemon, founder of the Ponemon Institute, a privacy and data protection research firm in Traverse City, Mich.
The stakes are high and getting higher all the time. In January, the Identity Theft Resource Center (ITRC) reported that the number of data breaches in 2008 increased 47% compared to 2007. The organization also reported that 35.2% of breaches were due to human error. (Watch a slideshow of the 10 worst moments in network security history.)
And Ponemon recently released a study showing that the average cost of a data breach grew to $202 per record compromised in 2008, up from $197 per record in 2007. And the average security event cost individual companies $6.6 million per breach in 2008, up from $6.43 million in 2007 and $4.7 million in 2006.
Worse, security breaches result in a loss of consumer confidence, which translates into customers taking their business elsewhere. (Listen to a podcast of five ways to employees can sabotage your network.)
So, what are the keys to a successful security awareness program? Creating a culture of security starts at the top, includes individuals from all departments and groups, is based on pre-determined policy and subsequent controls, is consistently revisited and updated, and is practiced daily.
Security is Job One
Computer security is a fast moving target. Today there are more threats, more vulnerabilities, more portable storage devices, and there's increased mobility. There's also less of a wall between one's personal life and work life. The things to protect and protect against are changing.
That means educating end users about security is more difficult, demanding and necessary than ever before.
"Today, users are more aware of existing threats, but threats are more sophisticated and they migrate faster," says Max Reissmueller, senior manager of IT infrastructure and operations at Pioneer Electronics in Long Beach, Calif.
Reissmueller is responsible for end user security awareness for roughly 1,600 employees at about 15 locations in North America. Pioneer Electronics has a formal security review board that updates policy annually and disseminates changes to end users.
