Training: Effective security requires a unified approach

Today, I’d like to vent some frustration at what I see as one of the major fall-downs in businesses relating to information security.  That is, businesses are failing to adequately train their personnel.  Effective security requires a unified approach.  Appropriate technology and well written policies are absolutely critical.  But, they cannot provide the entire solution.  Studies have shown that it is the human element that is at the heart of most security incidents.  This should not come as news to anyone reading this blog.  In my experience, it is the failure to provide employees with appropriate and ongoing training that creates conditions ripe for a security incident. 

Businesses do not hesitate to spend many thousands of dollars purchasing and deploying sophisticated information security technology.  They spend similar amounts developing security policies, information handling requirements, and related documentation (soon to be a subject of a future rant in this blog regarding the quality and understandability of these types of documents).  But, when it comes to personnel training, we see a minimal attempt to provide basic training at the time of hire and a lunch room poster or two aimed at “security awareness.”  Such an approach is grossly inadequate.  This is not to say some businesses aren’t on top of the training issue, but many clearly fall short.

Proper training of personnel has several advantages.  Foremost among them, the reduction of incidents and the ability of the company to demonstrate it has acted diligently to protect its information and, if applicable, the information of its customers.  This last point bears a further comment. 

In the event of a compromise of security, one of the key questions courts and regulators, like the FTC, will ask is “did the business do what is reasonable under the circumstances to secure its information?”  We all know it is generally impossible to absolutely secure information.  Breaches of even the most secure systems can occur.  Just ask the government.  The question, however, is whether the business that has experienced the breach did everything that was reasonable under the circumstances to prevent the breach.  Obviously, what is “reasonable” will change over time.  But, the constants are (1) appropriate technology, (2) relevant policies, and (3) proper education of personnel.  Businesses that address the first two constants, but not the third are opening themselves up to potential claims they failed to act reasonably in protecting their information.

To many businesses, the idea of ongoing training about current and future security issues is just not on their radar screen.  This must change.  Money must be allocated to ensure this single greatest source of security compromises is addressed.  I have seen this work in businesses that have implemented more rigorous training for their personnel.  They have been able to achieve far greater security and have significantly reduced incidents.  Other businesses should follow suit.