What you don't know, can hurt you
"Unfortunately, people are still not thinking before opening an [email] attachment. Every time a new virus comes out, people go out and do the same thing they shouldn't be doing," said Mike Breth, IT audit manager for the Westfield Group, an insurance and financial services company.
Such acts can paralyse an organisation. New viruses are being released at record speed. And in some cases, virus outbreaks have lead to companies shutting down email systems, as a costly but preventative measure.
Regulations around privacy, such as the Health Insurance Portability and Accountability Act, and financial reporting measures, such as the Sarbanes-Oxley Act, are also raising the stakes for corporations. As a result of these regulations, companies need to keep their customers' information, as well as their financial reporting material, under tight security.
"In the last 30 or 40 years that we've had computers, there have not been any great strides in making employees aware of the importance of security," Moore said.
Companies are increasingly becoming aware of the problems security breaches and viruses can bring, but few are devoting dollars to educating the workforce -- the last gatekeepers.
"Very few companies do this, because they don't see how it adds to the bottom line," Moore said, noting that if money is spent, it's often for security-related technology. "Symantec and other vendors have very good products like firewall and intrusion-detection software, but these are only addressing the technical problem."
Symantec, which also sells an off-the-shelf Web-based security training programme for employees, finds that prospective customers will cite budget constraints when declining to purchase the training programme, or they will buy the company's security products but not the training.
"Ten [percent] to 20 percent of large enterprises have something in house already. And when we ask about their programme, it's not a security awareness programme at all. All they're doing is posting their security policy on their Web site and calling it training. I'm guessing, at most, maybe 5 percent of those companies are going out and actually training employees," said Kathleen Coe, Symantec's education services director.
John Thompson, chief executive of security software provider Symantec, has been a long-time advocate of companies developing corporate policies on security issues. He notes that technology alone can't keep companies secure.
"Security is a process, and while technologies are important to facilitate the process, the technology itself does not ensure that you are secure," Thompson said. "A case in point: There is a technology, a simple technology associated with securing your house, it's called a lock. But if you, a user, do not facilitate the process, or lock the door when you walk out of your house, having the technology installed is of no value. And so the process starts with first having you be aware of how you secure your home, what threats you need to protect yourself from."
Thompson said that given a fixed budget, companies should first invest in a corporate security policy and staff training, before purchasing security products.
