Businesses spend billions of pounds on security technology, but investing in security awareness could cost less...
and prove more effective.
Barclays Bank has shown that education may be the key to IT security - more so than the $44.6bn Gartner says businesses will spend globally on software, hardware and services.
Businesses report difficulties in measuring return on investment, and high costs are often cited as the chief reason for not investing in security awareness programmes.
But Barclays was able to increase security incident reporting by a factor of 10 by producing an innovative training video that used humour to target audiences.
"Many organisations are put off by the cost, but the whole project worked at less than £1 per employee," says Mark Logsdon, deputy head of information risk management at Barclays.
The project took only four months to complete, but should last up to five years as the video can be edited and updated, he says.
Barclays commissioned five short Hollywood blockbuster-style films to illustrate security principles such as keeping passwords secret.
Although insider threats are a serious risk to business, when an outsider gains insider privileges, the potential damage is much greater, say security experts.
One of the most common methods criminals use to get insider privileges such as passwords is social engineering - tricking members of staff into disclosing the information they need to attack systems.
Security consultant Colin Greenless showed earlier this year how easy social engineering is by getting passwords from 17 of 20 people he asked at a FTSE financial firm.
And yet security awareness training is not a priority for most UK organisations, and is often the first thing to be cut in an economic downturn.
A freedom of information request revealed that only one in nine UK government departments has a specific budget for training staff in IT security in 2009.
"Training people is about improving their effectiveness. If they do not understand how to protect against security threats, the risk is much higher," says Robert Chapman, chief executive at Firebrand Training.
Logsdon says most organisations spend too much time focusing on technology and people are often neglected.
There needs to be a balance between people, technology and processes that make it easy for people to do the right thing, he says.
This is important, says Marcus Alldrick, chief information security officer at insurance firm Lloyd's of London.
"The challenge is to get people to follow processes that support technology," he says. Another reason education around IT security is important.
Attitudes to information security
A survey of attendees at the recent (ISC)² Secure London conference found that most believe people are most important to a successful information security strategy.
Some 70% said people were the key component, compared with 18% for processes, 6% for technology and 6% who said all three were equally important.
Delegates also heard that security professionals must educate themselves about the latest attack methods to be effective.
Without researching the latest attack methods and motivations, any security technology is a "shot in the dark", according to James Rendell, UK technical manager, IBM internet security systems.
The biggest danger is IT professionals deploying countermeasures they believe are effective, but in reality are not because they do not understand the real nature of the threat, he says.
Cybercriminals require the same return on investment as legitimate business, therefore security professionals must prioritise defences against threats such as SQL injection attacks, which are easy, low cost and have a large number of targets, says Rendell.
Security technology and processes are indispensible, but without proper attention to educating people, both users and IT professionals, billions of pounds spent on security hardware and software will be wasted.