Back in the late '60s, Warren Moore was a young man working in the IT department at apparel giant Genesco.
As a prank, Moore rewrote some code for the company's IBM mainframe to allow him to send anonymous messages to co-workers. But his joke inadvertently resulted in his message being inserted into a sales forecast report, which was about to be presented by a Genesco vice president.
"Luckily, they didn't fire me," said Moore, who now serves as an information security consultant for Convergys. "I kept my job, but it got me thinking about computer security, and it got Genesco thinking about it too. They offered all their employees a program on the dos and don'ts of working with computers."
Genesco was ahead of its time in offering information-security training to its rank-and-file workers. And even today, security experts say very little is being done to educate employees on antivirus techniques and company policies relating to information security.
"People are the weakest link," said Chris Pick, vice president of market strategy at security and systems-management company NetIQ and co-founder of Human Firewall, an educational and informational Web site now operated by the Information Systems Security Association, or ISSA. "Education is the first line of defense."
But apparently not many companies are following that playbook.
Last year, the Human Firewall Security Awareness Index Survey found that 48 percent of the companies participating in the survey had never provided formal security training for their work force, Pick said. And of those companies that had, only 15 percent provided such training in the past six months. The National Cyber Security Partnership seems to be aware of the problem too. In March, the group urged companies to adopt more security education.
The lack of an informed work force can be costly for a company, since technology can only go so far in protecting a network, security experts said.
What you don't know, can hurt you
"Unfortunately, people are still not thinking before opening an (e-mail) attachment. Every time a new virus comes out, people go out and do the same thing they shouldn't be doing," said Mike Breth, IT audit manager for the Westfield Group, an insurance and financial services company.
Such acts can paralyze an organization. New viruses are being released at record speed. And in some cases, virus outbreaks have lead to companies shutting down e-mail systems, as a costly but preventative measure.
Regulations around privacy, such as the Health Insurance Portability and Accountability Act, and financial reporting measures, such as the Sarbanes-Oxley Act, are also raising the stakes for corporations. As a result of these regulations, companies need to keep their customers' information, as well as their financial reporting material, under tight security.
"In the last 30 or 40 years that we've had computers, there have not been any great strides in making employees aware of the importance of security," Moore said.
Companies are increasingly becoming aware of the problems security breaches and viruses can bring, but few are devoting dollars to educating the work force--the last gatekeepers.
"Very few companies do this, because they don't see how it adds to the bottom line," Moore said, noting that if money is spent, it's often for security-related technology. "Symantec and other vendors have very good products like firewall and intrusion-detection software, but these are only addressing the technical problem."
Symantec, which also sells an off-the-shelf Web-based security training program for employees, finds that prospective customers will cite budget constraints when declining to purchase the training program, or they will buy the company's security products but not the training.
"Ten (percent) to 20 percent of large enterprises have something in house already. And when we ask about their program, it's not a security awareness program at all. All they're doing is posting their security policy on their Web site and calling it training. I'm guessing, at most, maybe 5 percent of those companies are going out and actually training employees," said Kathleen Coe, Symantec's education services director.
John Thompson, chief executive of security software provider Symantec, has been a longtime advocate of companies developing corporate policies on security issues. He notes that technology alone can't keep companies secure.
"Security is a process, and while technologies are important to facilitate the process, the technology itself does not ensure that you are secure," Thompson said. "A case in point: There is a technology, a simple technology associated with securing your house, it's called a lock. But if you, a user, do not facilitate the process, or lock the door when you walk out of your house, having the technology installed is of no value. And so the process starts with first having you be aware of how you secure your home, what threats you need to protect yourself from."
Thompson said that given a fixed budget, companies should first invest in a corporate security policy and staff training, before purchasing security products.
Leading a horse to water
Some companies, however, have taken the initiative to educate their work force, beyond having a security policy in an employee manual or posted on an internal Web site.
Historically, companies have viewed the issue of security and antivirus protection as a problem for their IT departments. And employees at these companies have held a similar view, said IT managers and security officers.
But the tide seems to be turning, even among employees.
"Employees are now concerned with who has access to their data and are also asking questions about whether our backup tapes are adequate," said Breth. "Now they're taking ownership of the data and making sure it's secure, rather than just saying it's the IT department's problem."
Breth noted the new privacy regulations are helping to drive the increase in employee awareness and participation.
Westfield's chief executive has also brought up the issue of IT security during the past two companywide meetings, and that has helped set the tone for visibility on the issue, Breth added.
"Over the past six months, the level of communication we've had with employees has ramped up, and people are being told about the role they play in keeping the whole company secure," Breth said. "Instead of a printed policy inside our employee manual that they read on their first day but then it sits on the shelf, we're now e-mailing people our policy, and they're hearing about it at our quarterly meetings."
Westfield is also supplying its employees with frequent security and antivirus tips that go beyond avoiding unsolicited e-mail attachments.
Convergys, meanwhile, posts a security newsletter on its intranet every two weeks, displays security-related posters throughout the workplace and is currently working on making some of its security and antivirus training mandatory, as well as requiring some familiarity with the company's security policy as part of the annual review process, Moore said.
"The big problem with educating employees on security issues is being able to track whether you're getting through to people," Moore lamented. "Everyone knows about viruses, for example, but half the people don't have antivirus software. They're the ones who become the (spam) zombies and infect the entire human race."