July 22, 2004 4:00 AM PDT

The weakest security link? It's you

In the late 1960s, Warren Moore was a young man working in the IT department at apparel giant Genesco.

As a prank, Moore rewrote some code for the company's IBM mainframe to allow him to send anonymous messages to co-workers. But his joke inadvertently resulted in his message being inserted into a sales forecast report, which was about to be presented by a Genesco vice president.


What's new:
Security technology may be getting more sophisticated, but that doesn't mean employees are--and they're often the last line of defense against viruses and other potentially costly security threats.

Bottom line:
As Symantec CEO John Thompson puts it, a lock is useless if you don't lock it. He and others suggest that companies get appropriate policies and training programs in place, rather than simply relying on software.

More stories on this topic

"Luckily, they didn't fire me," said Moore, who now serves as an information security consultant for Convergys. "I kept my job, but it got me thinking about computer security, and it got Genesco thinking about it too. They offered all their employees a program on the dos and don'ts of working with computers."

Genesco was ahead of its time in offering information-security training to its rank-and-file workers. And even today, security experts say very little is being done to educate employees on antivirus techniques and company policies relating to information security.

"People are the weakest link," said Chris Pick, vice president of market strategy at security and systems-management company NetIQ and co-founder of Human Firewall, an educational and informational Web site now operated by the Information Systems Security Association, or ISSA. "Education is the first line of defense."

But apparently not many companies are following that playbook.

Last year, the Human Firewall Security Awareness Index Survey found that 48 percent of the companies participating in the survey had never provided formal security training for their work force, Pick said. And of those companies that had, only 15 percent had provided such training in the previous six months. The National Cyber Security Partnership seems to be aware of the problem too. In March, the group urged companies to adopt more security education.

PC users are frequently pinpointed at the weakest link in the security chain. A recent survey of developers conducted by Evans Data, a market intelligence firm, found that one in four believed that biggest barrier to computer security is users refusing to follow policies. Nearly one in 10 developers thought security solutions were too complex for the average user.

The lack of an informed work force can be costly for a company, since technology can only go so far in protecting a network, security experts said.

What you don't know, can hurt you
"Unfortunately, people are still not thinking before opening an (e-mail) attachment. Every time a new virus comes out, people go out and do the same thing they shouldn't be doing," said Mike Breth, IT audit manager for the Westfield Group, an insurance and financial services company.

News.com Poll

Schooled in security
How often does your company provide you with security training?

Often: More than once a year
Not often: Less than once a year

View results

Such acts can paralyze an organization. New viruses are being released at record speed. And in some cases, virus outbreaks have lead to companies shutting down e-mail systems, as a costly but preventative measure.

Regulations around privacy, such as the Health Insurance Portability and Accountability Act, and financial reporting measures, such as the Sarbanes-Oxley Act, are also raising the stakes for corporations. As a result of these regulations, companies need to keep their customers' information, as well as their financial reporting material, under tight security.

"In the last 30 or 40 years that we've had computers, there have not been any great strides in making employees aware of the importance of security," Moore said.

Companies are increasingly becoming aware of the problems security breaches and viruses can bring, but few are devoting dollars to educating the work force--the last gatekeepers.

"Very few companies do this, because they don't see how it adds to the bottom line," Moore said, noting that if money is spent, it's often for security-related technology. "Symantec and other vendors have very good products like firewall and intrusion-detection software, but these are only addressing the technical problem."

Symantec, which also sells an off-the-shelf Web-based security training program for employees, finds that prospective customers will cite budget constraints when declining to purchase the training program, or they will buy the company's security products but not the training.

Security counsel
For those who have yet to undergo training, here's some basic advice on how to keep your computer and your company secure:

Passwords: Change passwords frequently, choosing unusual words, numbers or a combination of both. For example, deliberately misspell words, substitute numbers for vowels, do a combination of both, or remember the first letter of every word in a sentence. Vanity passwords, similar to vanity license plates, can also be effective.

Attachments: Beware the unsolicited e-mail attachment, even if it comes from an e-mail address you know (some viruses can hijack addresses). Reply to the sender and ask if he or she did indeed mean to send the attachment.

•  Read e-mail messages in plain text rather than HTML, especially when using Outlook 2003 or Outlook Express.
•  Be suspicious of any e-mail that tries to lure you to a Web site and have you enter personal data. This tactic--called phishing--is used for identity theft.

Browser: Use a utility that prevents pop-ups from opening and installing malicious code on your computer.

Securing data:
•  Before you crack open that laptop and begin entering sensitive data or reviewing confidential information, be aware of who is sitting behind or beside you. It may be better to sleep during that plane trip, rather than unwittingly sharing sensitive information with strangers.
•  Avoid leaving your computer on and unattended. You never know who might pass by and access your information and the corporate network.
•  Take the time to install patches and updates. If you don't, you may wind up spending a lot more time cleaning up the havoc wrought by viruses and the like.

Physical security: Be aware of anyone trying to enter your company's premises without proper identification. Employees need to be vigilant about providing additional eyes and ears for the company.

Who's who: Learn whom you should contact to inform the company of breaches in both physical and network security.

"Ten (percent) to 20 percent of large enterprises have something in house already. And when we ask about their program, it's not a security awareness program at all. All they're doing is posting their security policy on their Web site and calling it training. I'm guessing, at most, maybe 5 percent of those companies are going out and actually training employees," said Kathleen Coe, Symantec's education services director.

John Thompson, chief executive of security software provider Symantec, has been a longtime advocate of companies developing corporate policies on security issues. He notes that technology alone can't keep companies secure.

"Security is a process, and while technologies are important to facilitate the process, the technology itself does not ensure that you are secure," Thompson said. "A case in point: There is a technology, a simple technology associated with securing your house, it's called a lock. But if you, a user, do not facilitate the process, or lock the door when you walk out of your house, having the technology installed is of no value. And so the process starts with first having you be aware of how you secure your home, what threats you need to protect yourself from."

Thompson said that given a fixed budget, companies should first invest in a corporate security policy and staff training, before purchasing security products.

Leading a horse to water
Some companies, however, have taken the initiative to educate their work force, beyond having a security policy in an employee manual or posted on an internal Web site.

Historically, companies have viewed the issue of security and antivirus protection as a problem for their IT departments. And employees at these companies have held a similar view, said IT managers and security officers.

But the tide seems to be turning, even among employees.

"Employees are now concerned with who has access to their data and are also asking questions about whether our backup tapes are adequate," said Breth. "Now they're taking ownership of the data and making sure it's secure, rather than just saying it's the IT department's problem."

Breth noted the new privacy regulations are helping to drive the increase in employee awareness and participation.

Westfield's chief executive has also brought up the issue of IT security during the past two companywide meetings, and that has helped set the tone for visibility on the issue, Breth added.

"Over the past six months, the level of communication we've had with employees has ramped up, and people are being told about the role they play in keeping the whole company secure," Breth said. "Instead of a printed policy inside our employee manual that they read on their first day but then it sits on the shelf, we're now e-mailing people our policy, and they're hearing about it at our quarterly meetings."

Westfield is also supplying its employees with frequent security and antivirus tips that go beyond avoiding unsolicited e-mail attachments.

Convergys, meanwhile, posts a security newsletter on its intranet every two weeks, displays security-related posters throughout the workplace and is currently working on making some of its security and antivirus training mandatory, as well as requiring some familiarity with the company's security policy as part of the annual review process, Moore said.

"The big problem with educating employees on security issues is being able to track whether you're getting through to people," Moore lamented. "Everyone knows about viruses, for example, but half the people don't have antivirus software. They're the ones who become the (spam) zombies and infect the entire human race."


Join the conversation!
Add your comment
Yah training lacks.
My company which will remain nameless, we dont do any security training. Hell we fired our dedicated trainer 3 years ago and the lack of training shows. When I deploy a new system to a new user I gave them a brief overview of the system and for laptop users how to handle their laptops in the airport. I also stress these are not your computers and please do not load software on them but the reality is non of what I say has been approved by my company and is a poor substitute to a real class. Hell when these semi official worms showed up that looked like they came from corp people were tying to install the file from the password protected zip file left and right. I put out an e-mail, per my managers approval because he assured me out company would NEVER distribute software via e-mail, stating that never install software via e-mail. We use an alternative rollout method. And what happens? Less then 2 months later they roll out a patch via e-mail. Stupid idiots.
Posted by Jonathan (832 comments )
Reply Link Flag
The corporations do it to themselves
I have been in IT, or an IT director for the last 7 years.
The companies I have worked for would never pay for the proper security. My job was to implement as much security as possible with the budget I was given.
Oddly, in the last 3 years companies have been so tight that the no longer purchase high-quality network gear - they would rather have a problematic $400 router than a solid $3000 managed router.
I spend about 15% of my week reacting to issues caused by bad security, bad practices, or to a surprise event that we had no infrastructure to manage.
IT managers should be empowered to find and resolve all possible security flaws.
They should be able to do anything needed to protect the company and its customers.
And, they should not have to work 60hrs. a week to get it all done - there is software for that!
Posted by (5 comments )
Reply Link Flag
Customer mentality hard to change
You can train the people till you're blue in the face - but if they really don't care about it, nothing is going to change.

Although I frequently remind my customers not to instinctively open every attachment that enters their inbox - they still do so anyway.

One Salesman even said that he was exempt from that rule - because he was sales, and he has to open every single attachment that comes in.

I'm so happy that these hackers are considerate enough to make sure that he doesn't get any of their nasty viral/trojan attachments.

As I said, training goes a long way, but it only takes an idiot to screw everyone over.

And yes, his system got infected several times after that conversation.
Posted by Tex Murphy PI (165 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.