You can't secure what you don't acknowledge.SM

Tuesday, January 29, 2008

Dumb users the root of security problems?

We don't hear about this much in the "mainstream media" so it's good to see a well-known online publisher writing about the topic of dumb users causing security problems. SearchCIO-Midmarket.com has a piece on this very topic. According to a study done by GFI (the maker a good entry-level vulnerability scanner among other things), 48% of people believe that better awareness of security among employees would improve overall security...More than getting management on-board (which I disagree with) and way more than having a large security budget.

All that said, we can recommend and claim we've performed "user awareness training" until we're blue in the face but we're still going to have security problems. Why? Because many employees don't listen, they forget, and they - by and large - don't care. They just want to go to work, do what they need to do to earn their paycheck, and not be hassled with security controls and mandates from IT.

Here's the deal: People do things for a reason...They violate policies and create business risks because:
  • they're lazy
  • they don't buy into what's being sold
  • they don't understand what's required of them
  • they know they won't get into trouble if they do get caught
Or..
  • their desire to violate your security policies outweighs their perceived risk (usually due to all the above bullets)
Remember that people will continue to violate security policies and create business risks until there's a real incentive for them not to. Period.

No comments:

Post a Comment