User Education

Do your users take IT security seriously? A recent poll would indicate many workers do not. This trend is not exclusive to the U.S with the poll including respondents from around the globe. What the poll reflects is that employees look to IT to be the responsible ones, and in today’s climate of sophisticated attacks, speed and connectivity, it really should be in every employee’s job description to adhere to security policies and be a part of protecting the company from outside threats.

The poll was conducted earlier this fall by Avira, a German antivirus software company and published last week. The company asked three questions under the heading of: How careful are you when it comes to IT security in your company? There were 991 respondents with the majority (717) of the respondents being either German, English or Russian speaking.

1) We have strict and detailed policies for IT security and the entire company takes care to follow all the policies in order to protect the company - 38.95 percent of the respondents who answered this question agreed.

2) We have security policies, but I don’t think anybody cares if we follow the policies or not -  35.42 percent of the respondents who answered this question agreed.

3) I don’t think about IT security at all; our system administrators are responsible for security so it’s not my concern. - 25.63 percent of the respondents who answered this question agreed.

The employee attitude of question two and three is essentially saying to IT, “it’s not my job.” This is where the need for employee education becomes more critical.

Hopefully, most organizations these days have published messaging policies that cover everything online - from mobile, to social media, to email and Web. Providing that is in place, making sure that employees are more aligned toward that question one camp (“… the entire company takes care to follow all the policies in order to protect the company”) takes effort.

“When we see that less than 40 percent of workers take IT security seriously while at work, we know there is more to be done when it comes to educating people about IT security,” said Sorin Mustaca, data security expert at Avira. “Holding regular employee sessions to address the importance of staying vigilant while at work to make sure nothing happens to the corporate or small business network is equally important.”

Recommendations for Employee Education

Mustaca believes that using recent scary statistics of all the bad things out there to try to make employees get on board is not the best tactic. As he thinks the impression would be fleeting and soon forgotten.

Instead Mustaca says, “I can imagine some live sessions demonstrating how malware gets into computers and how users like themselves get infected (the attack vectors). We have malware today that comes via email, gets dropped by simply visiting a web site, gets transmitted via Instant Messaging or gets transmitted because of a vulnerability in a software. It is important to show them also the effects of such an infection. Many malware these days steal or encrypt documents, install keyloggers, steal banking information and so on.”

Phishing is another area that employees need to better understand. Mustaca recommends describing how many methods to get phished exist. “Any user should be able to identify a phishing web site, because this can affect them also when they are home.”

Big company-wide sessions are not ideal believes Mustaca. He recommends that educational sessions be small so that employees are able to concentrate on the facts and ask questions. He also thinks it is very important that the sessions have mixed participation from people with various backgrounds. “This way it can be seen that anyone can be hit if he or she doesn’t pay attention.”

Today, employees are expected to perform tasks at heightened speeds. This has created a daily routine that means employees may take more risks with company information and simply be too busy just getting through their day to pay much attention to company policy or IT security.

Mustaca notes that while he understands people see computers as tools to do their jobs, “I am disappointed to see that a quarter of the users who took the survey are completely ignoring the importance of IT security. If all who access the Internet would fulfill some minimum security requirements then the online world would be a much safer place.”

Unfortunately, many outside of IT do not take messaging security seriously, but perhaps with ongoing user education and smaller-sized training sessions, progress can be made toward enlisting every employee to follow IT security policies.