Melissa, I Love You, Code Red, Nimda – the mere mention of these network-threatening pathogens, and the ease with which inexperienced users can invite them in past a million-dollars worth of firewalls, is enough to make managers reach for the economy-size antacid bottles in their desk drawers.
But according to security professionals, a few basic policies and training procedures can be a simple, cheap and surprisingly effective solution to those security breaches caused by end user ignorance.
“If you have a virus problem, but you just don’t have a couple of hundred thousand dollars to buy the newest antivirus software, you can still teach your people how to be cautious about how they exchange data, how they open data and what kind of things to look out for,” said Aidan Fisher, president of Ottawa-based Sensible Security Solutions Inc.
Fisher, whose firm has helped many Canadian companies create data-protection procedures, said security incidents often happen because users just don’t know any better – and to know better they need to be trained.
Regardless of an organization’s size, the first thing it has to do is develop a security policy, said Michael Murphy, the Toronto-based Canadian general manager of Symantec Corp.
“They need a policy around Internet usage; and they need a policy around e-mail usage, and it needs to be simple. The corporate policy could be complex, but it needs to be trimmed down into a one-pager so that every employee understands what their obligations are, and what their requirements are,” Murphy said.
Additionally, a security policy needs to be sold to employees as a crucial aspect of the company’s common good, rather than a productivity or behaviour-monitoring tool. Managers, said Murphy, should “avoid taking a heavy-handed, sort of Orwellian approach of ‘Don’t do this, don’t do that.'”
Before ordinary employees can be educated, top executives have to understand that their businesses are at risk if they do not spend adequate resources on security, said Ren