The Security Buck Should Stop with the End User

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

The legal system and cultural landscapes differ greatly between the UK and the United States, so it seems unlikely that the new approach discussed in this vnunet.com story would have a chance of making it on this side of the Atlantic.


The security firm Finjan is pointing to two sections of the voluntary Banking Code that require online banking customers to act with "reasonable care." If they don't, the firm suggests, they may have trouble recouping losses from theft. Such an approach could cause problems for people trying to collect on theft claims who had out-of-date antivirus and anti-spyware software when the crime occurred.


It's important to note that the new UK rules are labeled as voluntary in the story, though the writer doesn't elaborate on the designation. It's also difficult to predict how such a move would translate into the corporate world. Regardless, the general idea of putting the security onus on users, where it belongs, is a good one. The reality is that people -- both as consumers and in their workaday lives -- are notoriously lax about the security status of their devices.


This is particularly true of mobile workers, apparently. SafeScan this week released a study that affixes numbers to the long-held belief that people are more careless outside the office than in. The study says that mobile employees visit pornographic Web sites, which have a high association with malware, 2.5 times more often than office-bound workers. They use file sharing 8.5 times as often, and visit "extremely graphic content" and "illegal activities" sites 5.2 and 3.9 times more often, respectively.


Organizations are getting it, but people are not. The good news in The 2008 Information Security Breaches Survey is that organizations are taking a more serious line on security. For instance, four times as many companies as four years ago have information security policies. The bad news in the study, which was conducted in the UK, is that employees aren't sharing the newfound concerns. Many of them work assiduously to overcome corporate security measures either for nefarious reasons or simply due to a mindset that focuses on collaboration.


The piece calls for more interactive and customized training. That makes sense: In many cases -- most, perhaps -- folks will desist from bad habits if they understand the true dangers of their laziness or efforts to evade security rules and systems. It also won't hurt to give them a visceral sense that they will be disciplined or even terminated for not cooperating fully.