Securing Systems: CyberSecurity for the Masses

By Melissa Solomon  |  Posted 2003-09-10
The Blaster worm brought businesses worldwide quite literally to a standstill last month. Just ask railroad operator CSX about its trains. Yet it wasn't a surprise attack: Microsoft knew about the vulnerability and released a patch on July 16. But many information-technology departments missed the threat. So did most individuals—even those who receive automated security update warnings from Microsoft.

The message: Any corporate security plan has to include training users of desktop and mobile machines on computer-security hygiene.

Companies should train users at least once a year, says Christian Byrnes, an analyst at Meta Group. In the health-care industry, federal legislation even mandates that a good security-education program be in place, to minimize risks caused by the ignorance or negligence of users.

The Computer Security Institute (CSI) offers courses on building an information-security-training program for all employees—"from the executive office to the janitorial staff," says the CSI. And the Information Technology Association of America (ITAA) recently began a security-certification program for nontechnology staff.

A formal class isn't necessary to start individuals thinking about security, of course. Byrnes recalls a test by a company whose CIO called employees, claimed to be from tech services and asked for their passwords. To his dismay, 70% gave them up without even asking his name.

That users are actively following good security routines "is an issue that we take for granted," says Bob Cohen, an ITAA spokesperson. "But it's one that can have powerful consequences."

For the full article with complete infographics, please download this PDF.