Anyone catch Ben Worthen’s article on the Wall Street Journal’s Business Technology Blog? The article, titled “Shocking New Survey: Employees Willfully Violate Security“, got me thinking about Information Technology & Security.

Now…I’m not a security person. I understand the technologies and the reasons for enacting security measures but I have no experience running IT security operations so please forgive my ignorance when I ask this question:

Why spend time and money attempting to secure the network and then not educate the end-users on why those security measures exist?

I’ve seen organizations spend millions of dollars on technology and then have the network taken down by a simple act.

For example, I’ve experienced the damage that a USB Flash drive containing a file with a worm/virus can cause. This USB flash drive was inserted into a computer and within 3 hours then entire network had been taken down. Of course, this virus/worm should have been caught by the virus scanning software on the user’s computer but for whatever reason it wasn’t and it gained access to the network. This simple act caused this organization’s entire network (covering 4 offices and more than 200 people) to be down for 3 days. The cost to repair this outage was astronomical.

The above situation is a difficult one to address with just technology. This organization had spent a lot of money to keep it from happening…but…it happened.

How much easier would it have been to educate that particular user on the danger of not scanning files for dangerous items like a virus or worm? I think it would have been much cheaper than the cost of repairing the entire IT infrastructure. Of course, no amount of education can overcome the mindset of “it won’t happen to me” but at least its worth a shot.

[tags] information technology, Technology, IT, security [/tags]