Roger A. Grimes is an InfoWorld contributing editor. Roger holds more than 40 computer certifications and has authored eight books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. A frequent industry speaker and educator, he currently works for Microsoft as a principal security architect.
Roger has another great column in InfoWorld about the biggest bang you can get for your Infosec budget. He started with: "Most organizations don’t do enough to educate users about computer security. The main purpose of user education programs is to decrease human-factor risk substantially. If they don’t accomplish that, the whole exercise is a waste of resources.
Such programs, if they exist at all, consist of a sort of security orientation program for new employees, with an annual update and refresher course lasting 15 minutes to an hour. Occasionally, you’ll see an in-house security newsletter and/or periodic Web posts that employees might read on a slow workday.
This lack of commitment is strange, considering the overall effectiveness of user education to stop employees from doing stupid stuff. In my opinion, doubling, tripling, or even quadrupling security education requirements and budgets should happen immediately in most organizations.
Why? Because the most prevalent, successful threats rely on social engineering, one way or another. That could be a phishing email, a rogue link, or an offer of a free download that pops up on a trusted website. In rare instances, it’s a physical phone call asking for credentials to be reset or for the person to install “needed” diagnostics software to remove malware.
The fastest and cheapest bang for your buck is user education training to counteract those threats. Unfortunately, such programs tend to focus on scenarios users will never face -- or were prevalent 10 years ago. Certainly,
most education programs fail to cover the malicious tactics an organization is fighting at a given time."
And in the rest of his column he gives some great suggestions how to manage this problem. Read it here: