The need to educate users about web security and the risks of losing data remains a key challenge to businesses.
I asked some vendors on what they thought of the situation regarding employee education and how users can be better educated.
Kevin Bocek, director of product marketing at IronKey, said that when it comes to lost devices, 'education won't stop mistakes like this'.
Speaking about attitudes to malware, Stephen Howes, founder and CTO of GrIDsure, said: “The truth is that most computer users do not know or care what the latest iteration of the Zeus banking Trojan is, or which anti-virus software offers them the best protection.
“So while user education of the risks is always important, I believe that the online service providers should put in place systems that are easy to use and secure enough to make it very difficult for a hacker to steal logon details even if they have infected the users' PC.”
So is it a case of a lack of understanding or simply complacency? Perhaps it is a lack of interest in the more complex areas of internet security.
The announcement of £650 million to invest in cyber security as part of the Strategic Defence and Security Review (SDSR) led to varying opinions on how best to use the funding efficiently, but consistent was a recommendation that it 'be used for education'.
Fran Rosch, vice president of trust services at the Symantec enterprise security group, told SC Magazine: “It is like the seatbelt campaign, 30 years ago no one wore one and the car companies said it would put them out of business, now everyone always wears one. With campaigns they need to be a multi-lingual effort and advertising campaigns can make an effect and government have a responsibility to make sure guidance is clear and safe.”
Ed Rowley, product manager of M86 Security, told SC Magazine that there are recurring scenarios where people are fooled or do not stop to think twice when an online scam appears to be too good to be true.
He said that is why education is so important, as even with IT security issues appearing more frequently in the news, people still manage to ignore it. He said: "It is becoming quite difficult to hammer the message through before the ultimate action is taken in stopping people having access to certain non-work related tools."
Speaking with Internet Security Forum (ISF) principal research analyst Adrian Davis on the ways to handle educating employees, he said that there has been a few instances where some organisations have said ‘shoot one to encourage the others', where people have lost their jobs because they flagrantly disobeyed the rules.
He said: “The key thing is to have a grown up conversation with your employees, say that 'we know you use those websites and here are three things to remember', and reinforce the message with positives and negatives. Information security law is always don't, don't, don't and we have to change that, it should be ‘do but think', or ‘think then do' and that is the key message; it is okay to use this and in future even more.”
Speaking on practical methods to educate in a work environment, Rowley said that a key way is to inform a user of what they are doing wrong, as 'once they have that taken away they will know what they have lost and why they lost it'.
He said: “With posters up as part of raising general awareness, there is subliminal reinforcement of what they are being told all of the time on IT security, but it is not the job of the IT department to tell people. They can help by having disclaimers applied to an internal email highlighting a point of IT security, but that should come down from HR or management and certainly it is a different way of getting the message out there that should be sponsored by the company as a whole and not by the IT department.
“Rather than embarrassing and forcing them to go and speak to IT, people will be more receptive to an automatic notification telling them what they did and telling them why their email or access to a website was blocked and using reason and letting people know. If you block with no information people will not contact IT and they will get frustrated.”
The money is there for a nationwide campaign to educate users, but it continues to be an uphill struggle. As for practical tips on how to educate users both in an and out of work, this will remain a key theme and it is a case of watch this space for further advice in weeks to come.