A study published this week by the Computing Technology Industry Association (CompTIA) found that 89% of organisations surveyed believed that major security breaches have been reduced as a result of IT security training and certification.
OK, this is hardly surprising on its own because the connection would be obvious to any right-minded person because IT security training promotes improved potential risk identification, increased awareness, improved security measures, and an ability to respond more rapidly to problems.
However, given the obviousness of the connection between education and security, it is more than mildly surprising that the same CompTIA study also found that half the organisations surveyed had no plans whatsoever to implement security awareness training for staff.
In other words, there is a large discrepancy between the security that organisations say they need and the level of education and prevention taking place within these organisations. But why? Could it be the result of recklessness or sheer lunacy? Surely not?
Recklessness and foolishness would be obvious answers, especially when one considers that 80% of serious security breaches are blamed on human error; however, I suspect the cause has become hidden for a much more worrying reason.
The fact that organisations are neglecting education around IT security issues means policy-makers are unable to see that technology alone is not enough to keep data secure.
Blind faith?
The fact that organisations are neglecting education around IT security issues means policy-makers are unable to see that technology alone is not enough to keep data secure.
Warwick Ashford, portals managing editor, ITWeb
Is it possible that business has become so dependent on technology and has so much faith in it that its shortcomings are no longer obvious and business leaders have consequently abdicated all responsibility for protecting data assets?
This is the only explanation I can think of for organisations that can ill afford losses of confidential information or interruption of workflow not having stringent security training and certification requirements.
Clearly, the study shows security assurance continues to depend on human actions and knowledge, but few US organisations seem to realise this. Would I be correct in assuming the same is true for local organisations?
Difficult though it may be to believe, the study found that training and certification requirements are uncommon, with only 27% of organisations surveyed requiring IT security training and 12% requiring certification.
This is true despite the fact that nearly 40% of organisations surveyed had experienced a major IT security breach in the six months prior to the study being carried out. I can`t think of any reason for this other than blind faith in technology-based security solutions.
What happened to business`s natural scepticism of computer technology in the 1960s and 1970s? Perhaps it wasn`t such a bad thing after all.
Or just laziness?
Although faith in technology seems to be as good an explanation as any, another finding of the study leads me in a different direction, not far off the initial inclination towards recklessness and foolishness.
The study found that 53% of the organisations surveyed did not have written IT security policies, which, as CompTIA points out, fosters gaps in security knowledge, especially among end-users.
Could it be that plain human laziness is at the root cause of the discrepancy between the level of security that organisations say they need and the level of education actually taking place?
Perhaps the real cause of the prevailing lack of security education is none of these reasons or perhaps it is actually a combination of them all. Whatever the reason or reasons, the fact remains that about one in 10 organisations designate no IT budget at all to computer security.
In light of this last fact, I am once again tending towards basic foolishness and stupidity as likely reasons for the study`s findings on IT security in the US workplace.
There is, however, one firm conclusion that is easy to make: when it comes to ensuring the safety of company data assets, ignorance is extremely dangerous.
Share