Recently I've been thinking more and more about the problem of end user risk. It was prompted by some discussions with a small company here who lamented that they had to place extreme policy controls in place because their users would "wreck it " otherwise...
So I thought - I wonder why their users are so very dangerous to them? (Apart from the obvious of course...) So I went and spoke to a few of their users. They told me that the IT area used confusing words and couldn't explain why security was important to them so it wasn't seen as relevant. It seemed to me that this organisation forgot that People, Process and Technology need to work together to truly address security. The more I spoke to other people in IT, the more I realised that this is a consistent problem. In IT we always manage to get the technology side (more or less) right - and sometimes we do the Process side - but we always miss the People bit. In many cases - the security breaches we see in businesses are caused by users and their naivety or ignorance as to the correct procedure or safe practise and a lot of these cases stem from a lack of end user security education.
So I've recorded another blogcast/screencast/video thingy on the problems with motivating users around security and changing your perceptions in the eyes of the users.
After you're done watching that I've linked to some resources that you can download to begin this process of starting this conversation with the users and demonstrating some education that will not only help them at work but also at home.
- End User Security Discussion Resources (120MB Download)
While you're at it...I'm curious to know how many of you find this area of security challenging? Fill out my online anonymous poll so we can see if its a consistent theme.
Updated: 25/9 4:12pm - Embedded survey wasnt working properly so Ive replaced it with a direct link to it.