We don’t hear about this much in the “mainstream media” so it’s good to see a well-known online publisher writing about the topic of dumb users causing security problems. SearchCIO-Midmarket.com has a piece on this very topic. According to a study done by GFI (the maker a good entry-level vulnerability scanner among other things), 48% of people believe that better awareness of security among employees would improve overall security…More than getting management on-board (which I disagree with) and way more than having a large security budget.
All that said, we can recommend and claim we’ve performed “user awareness training” until we’re blue in the face but we’re still going to have security problems. Why? Because many employees don’t listen, they forget, and they – by and large – don’t care. They just want to go to work, do what they need to do to earn their paycheck, and not be hassled with security controls and mandates from IT.
Here’s the deal: People do things for a reason…They violate policies and create business risks because:
Remember that people will continue to violate security policies and create business risks until there’s a real incentive for them not to. Period.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”