What Every End User Should Know About Online Security

[Excerpted from "What Every End User Should Know About Online Security," a new report posted this week on Dark Reading's Endpoint Security Tech Center.]

Every day, enterprises deploy technologies and policies that are designed to keep end user information safe and to prevent end users from exposing enterpris data to potential attacks from outside the organization. And every day, end users forget, ignore or openly break endpoint security policies and controls to gain access to the data and applications they want to use.

When employees break security policies, it's not usually done with any malicious intent; human error is often the cause, as is a failure to appreciate how risky certain actions -- such as circumventing security controls to complete a task more quickly or to help out a colleague who has forgotten his ID card or login credentials -- can be. And while sharing a password or sending a spreadsheet of clients to a personal email account so it can be worked on at home may be done with the best of intentions, such actions undermine IT security policies and put endpoints and enterprise data at risk.

Employees don't adhere to security policies for various reasons, such as these:

* They're not aware of them.

* They don't understand the potential consequences of their actions.

* They see such policies as a hindrance to getting their jobs done.

* Security isn't seen as being that important.

These issues need to be tackled head-on to change users' approach to protecting their work environment. Security has to be seen as making online life possible, not impossible.

Spending security budgets on new technologies in the hope that they will be the silverbullet solution to failings in user behavior is not the answer. Focusing instead on behavior-based strategies to minimize human error, particularly issues caused by ignorance, will pay far bigger dividends.

According to the U.K. government's Information Security Breaches Survey 2013, there's a clear return on investing in staff security-awareness training: According to the survey, 93% of companies where security policy was poorly understood had staff-related breaches, versus 47% where policy was well understood.

Security policies are often ignored because organizations fail to explain why certain security controls and procedures are necessary. For this reason, many users see these controls and procedures as the equivalent of red tape --pointless obstacles to keep the technocrats in IT happy. If people understand the challenges the business faces when it comes to keeping systems and data secure, they're far more likely to accept the need for security.

But how do you get people's attention, make them sit up and think, ask questions and take a genuine interest in IT security?

Shock and awe. Security-awareness training should start with a wakeup call to complacent executives and users. Get their attention by showing them how cybercrime has become a global and sophisticated business. Hit them with some cybercrime stats and the latest scams, and emphasize that each and every one of them (literally) is a target.

To find out more about end user training -- and for a list of some of the key lessons you should teach -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.