It's easier to talk about anti-virus, intrusion detection systems, network access control and other pieces of hardware and software than about the real problem: people.
The reason the human element is not discussed as often as security widgetry is because of its unpredictability. Code operates under a given set of conditions. Humans clearly do not.
While dealing with people is messier, it also has a far greater upside for security professionals. People, unlike security applications, can be taught to do a better job. The good news is that ever-more information is available to protect laptops (which seem to be particularly vulnerable) and other devices and systems.
The trick is to get people to pay attention. This Processor piece, which is based on a survey of more than 450 senior executives and IT managers at small and medium-size businesses (SMBs), found that managers believe better awareness among employees will improve security. The bottom line is that improving education and training is among the most cost-effective ways to buttress security. This message -- that the more folks learn about security, the safer devices and systems will be -- clearly is intuitive.
But that doesn't mean that organizations have done all they can do to exploit the opportunity.
The Processor story offers some suggestions:
Another area in which education is a big deal is how potential customers perceive the safety of e-commerce. The Pew Internet Project released a study that revealed that 75 percent of those surveyed don't like to give out personal information on the Internet. Report author John Horrigan is quoted as saying that this belief, whether it is "real or perceived," is slowing the growth of the Internet economy.
Pew even puts a number to the notion: Horrigan said that 7 percent more people would shop online if the fears didn't exist. Of course, no system can be guaranteed completely safe. The story makes the compelling case, however, that online commerce is more secure than the use of credit cards in brick and mortar scenarios. Driving that notion home clearly is the salient challenge to security personnel working for organizations that must coax sensitive information out of the consumers with whom they deal.
Some progress is being made. Forty percent of respondents to The Conference Board's Consumer Internet Barometer say that they are planning to file their federal tax returns online this year, an increase of 6 percent from three years ago. More than two-thirds -- the release doesn't provide a precise number -- have filed online for three years or more. That number was less than 55 percent in 2005.
The Consumer Internet Barometer, the release says, is a survey of more than 10,000 households. It's interesting that paying taxes online is considered safer than other types of cyber-transactions. Half of respondents said that they are "extremely concerned" with banking online and online bill payments, while only 44 percent expressed the same sentiment for online tax filing. Women, the survey said, are remain more concerned than men about paying Uncle Sam through cyberspace.
There also is a long way to go. The study referenced in this OSA post is aimed at consumers. Clearly, however, the results have ramifications for IT security staffs simply because people don't become any smarter or knowledgeable when they go to work. Important details on the study are not provided, but the results seem in line with what is happening. Twenty-five percent of respondents have not heard of phishing, 46 percent couldn't accurately define the term, and 78 percent had no idea of how to assess the security of an online site.
The good news, if there was any in the survey, is that virtually all respondents (98 percent) understand that it is important to know whether or not a site is safe to visit. Security staffs and IT departments must play a big role in teaching them -- as well as employees who they oversee -- two things: The Internet doesn't have to be a dangerous place and the keys to keeping it from becoming one.