Current Issue

August 2007

• Who moved my MCSE?

• Cisco changes CCNA, introduces CCENT

• Don’t doubt the value of certification

Previous Issues

July 2007

• 5 tips for Business Intelligence project success

• To some degree, we’re all security workers

June 2007

• Why develop Process and People skills?

• We need more Kevs on the help-desk

• 10 things to know about Microsoft Longhorn

May 2007

• Effective Collaboration with MOSS

• Acer uses SpecIT™ for Help Desk staff

• TrainIT for Charity

March 2007

• Redeem MS Software Assurance vouchers

• Computer forensics critical to security

• SharePoint End user training options

Archived Issues

To some degree, we’re all security workers

By Steve Ross
General Manager
Dimension Data Learning Solutions

Back in the good old days, security meant having a firewall and anti-virus. Security was the problem of the IT Department and therefore required a technical solution ("this service" or "that box").

This changed when virus outbreaks and security attacks brought down parts of the network. The Internet and email still make up the majority of security scare incidents and their use as a business tool means that organisations will always be vulnerable in some form. IT security became a business problem.

Security and IT professionals have had to develop a lot of skills regarding good information security. IT security relates to operating systems, application development and network infrastructure, as well as the emerging areas of computer forensics, virtualisation and biometrics.

The IT Department may now know more about securing its IT infrastructure, but what about securing employee habits?

A recent poll by McAfee has found that only 32% of companies have IT security as an aspect of employee induction. While this poll was conducted in Europe, I’m certain that the results would be similar in Australia.

Interestingly, about half of poll respondents said that employees were responsible for a personal email propagating a virus onto the network. Over two-thirds said that employees were responsible for stolen laptops.

This raises two concerns for me. One is that even if an employee is “responsible” for a security breach such as a virus or a stolen laptop, it is still the company that has to resolve the issue. The onus of responsibility becomes irrelevant because the company still has to deal with the problem.

Secondly, if half of respondents believe the employee is responsible for a virus and two-thirds believe they are responsible for a lost laptop, shouldn’t more than one-third of companies be offering some form of security induction training? Such training would be a good step to reduce the risk of these security incidents occurring.

The employee induction process provides a fantastic opportunity to introduce employees to the concepts of good information security.

There will always be new gadgets that increase security on the network, but if employees aren’t taught good information security concepts, like how to avoid opening dubious looking emails, then why buy?

Good security seems to be more about finding the right balance.