As we enter 2009, most of us are tightening our belts as budgets are slashed and projects put on hold. But security threats continue to rise. In 2008, the Internet Theft Resource Center estimates that 35 million data records were breached in the US alone, the majority of which were neither encrypted nor protected by a password. Such a sad state of affairs shows that security practices and awareness remain low, and that this will lead to hackers continuing to prey on organisations. Even as organisations do close off the obvious security holes, the number of threats that a business faces continues to grow—from malware attacks to social engineering.

Even an organisation that has carefully established an enterprise-wide security programme could still find itself at risk. It may have developed security plans, put in place controls to limit access to systems and information, as well as proactively managing network configurations, and maintaining operations plans for key information systems. But the best laid plans can have gaps—and numerous studies have shown that people are often the weakest link, with the insider threat still the greatest for most organisations. If any weaknesses remain, a malicious or careless employee can circumvent poorly policed controls, increasing the risk of unauthorised access to and disclosure, modification or destruction of sensitive information, or disruption to systems operations and services.

What is needed is the encouragement of proactive behaviour, which should of course be backed up with controls. Only when employees are made aware of what is expected of them and understand how inappropriate behaviour can negatively impact the organisation are they likely to think about the consequences of their actions. For example, most users are now aware of the security threats faced when opening an email attachment from an unknown source without scanning it first, but many still fail to realise the dangers of taking work home to personal computers that may not have the same security level as a corporate-issued machine or of downloading software from the internet.

The Office of Management and Budget (OMB), part of the US government, issued a report in 2007 entitled Common risks impeding the adequate protection of government information in which it identified the top ten risks. In top position on the list was the risk that security and privacy training is inadequate and poorly aligned with the different roles and responsibilities of the various personnel involved. The findings of the OMB are no less applicable to private industry. Indeed, ENISA, the European Network and Information Security Agency, concurs with the OMB, stating that awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks.

If that is not enough to convince, then consider the following: if your organisation is subject to any of the following regulations—HIPAA, Sarbanes-Oxley, FISMA, GLBA or the PCI DSS standards—some level of security awareness training for employees is mandatory. Some of these requirements are specific in nature, whilst others stipulate that safeguards need to be put in place that are appropriate according to the size and type of organisation.

Historically, security awareness training is an area that has received scant attention. The Business Software Alliance (BSA) recently conducted a survey that found that employee awareness was a major challenge for 64% of respondents, all of which were from large organisations, when implementing an information security programme, with only 16% feeling that their employees were adequately trained. One of the key reasons for this can be found in the results of the Computer crime and security survey of 2007 undertaken by the Computer Security Institute. It found that almost half of respondents spend less that 1% of the IT security budgets on awareness training. Too many organisations have had their heads in the sand.

However, security has recently emerged from being a grudge purchase to fix a problem that has occurred and is now increasingly being seen as a business enabler. This is leading many organisations to realise the importance of security awareness training and Quocirca has noticed a sharp uptick among organisations that it has spoken to in terms of putting awareness programmes in place. Yet, if so many of the respondents to the BSA survey referenced above feel their employees are inadequately trained, what constitutes best practices?

Quocirca recently spoke to technology vendor Symantec about its in-house security awareness training programme for employees, which it is now also offering as a package to external organisations. To be effective, any programme must encompass all employees in the organisation, including consultants and contractors, and must be tailored to provide training relevant for each role in the organisation. This is backed up with conversations with other organisations, which started their programme by defining the different roles in the organisation, from those handling customer payments to IT development staff.

Symantec, and its clients to which it sells security awareness training programmes, emphasises that web-based training is not only the most cost-effective method of training, but it also brings the best results as employees can study at a time that they choose, with an audit trail generated as to where all employees are in the programme. It must also be impressed that initial training should be provided for all new hires, backed up with continual reminders in the form of posters, screensavers and reminder cards, as well as conducting post-training assessments to gauge the effectiveness of the programme and refresher courses. If the web-based system is also backed up with collaborative communication tools, employees can ask their peers when they do not understand things, or can interact with dedicated personnel working within the areas under study to ensure that they understand exactly what is expected of them, and why actions are being carried out.

Any training must address the complete range of security issues facing organisations—including information protection, social engineering, remote worker security, virus and malware protection, password security, web, email and instant messaging security, mobile and phone security, and physical security. It must also be flexible enough to be extended to address new threats and attack vectors as they come to light.

When prioritising budgets for 2009, organisations should realise that throwing a technology solution at a problem is not enough to secure their assets. Rather, employees need to be aware of the part that they have to play in minimising the risks that the organisation faces. Only when technology, people and processes are working in sync can an organisation be sure that its security investments are truly effective.