Who should teach the staff the basics of IT security

Do companies need to take care of their personnel’s IT education today? This issue is controversial because on the one hand it is quite difficult to find people nowadays who

Do companies need to take care of their personnel’s IT education today? This issue is controversial because on the one hand it is quite difficult to find people nowadays who don’t know how to use a computer. On the other hand, it is even more difficult, or rather impossible, to imagine a company that does not use IT at all. Basic computer literacy today is as widespread as the ability to read. So problems with IT education occur when there is a question of security and or something beyond the basic framework.

Most people today have heard about viruses, Trojans, hacker attacks, etc. However, when it comes to more exotic threats, the average person’s knowledge is woefully lacking. According to the August 2013 survey of user attitudes towards IT security by Kaspersky Lab and B2B International, only 6% of respondents knew about vulnerabilities and zero day exploits, 21% had heard something about them and 74% had no idea what it was about. A similar pattern is observed in the case of botnets: 6% knew about them, 24% had heard something and 69% were totally unaware of the concept.

Moreover, according to the survey Global Corporate IT Security Risks 2013 by B2B International and Kaspersky Lab, in the last 12 months a substantial number of incidents resulting in leaked sensitive corporate data were caused by employees’ actions. 19% of the surveyed companies experienced that. 18% of companies had their critical data fall into the wrong hands as a result of “improper” use of mobile devices.

We have repeatedly pointed out that the surest way to ward off such incidents is by providing end users with adequate information about IT risks and methods to avoid them. The matter is, who should be training the staff?

65% of companies make their own IT departments responsible for that. This lays an additional burden on them. The participants of the survey by B2B International admitted that in most cases the IT departments do not have time to regularly train employees. In addition, the maintenance of infrastructure and personnel IT security training are different areas of specialization.

In this regard, a much more productive option would be to entrust outside experts with the training task, but only 12% of respondents do that.

According to the survey Global Corporate IT Security Risks 2013 by B2B International and Kaspersky Lab, in the last 12 months a substantial number of incidents resulting in leaked sensitive corporate data were caused by employees’ actions.

IT security education for staff is also occasionally (in 8% of cases) handled by HR, in addition to staff development and training departments. Even more seldom (in 3% of cases) companies contract training service providers.

The vast majority of companies recognize that teaching their staff IT security is necessary. Only 4% of respondents claimed they were not training their employees. The point is how good the result of this training is, how big is the range of described current threats, and how ready the end users are to follow the set of security policies.

So far 39% of surveyed companies admitted their employees did not always abide by the rules. This situation can be improved by an effective solution protecting the whole infrastructure of the company from external threats and faults of employees. Kaspersky Endpoint Security for Business has integrated tools that automatically ensure users’ compliance with applied security policies, thereby protecting the infrastructure from improper actions of employees.

Nevertheless, every system is as secure as its weakest component. These weak components are often people who lack the necessary knowledge of cyber threats. This knowledge, among other things, implies the readiness of workers to follow the adopted IT security policies in their companies, therefore, providing the level of the company infrastructure’s protection against external and internal “hostile activity.”

Tips