2011-06-01
Abstract
‘In the fight against cybercrime knowledge can be a very powerful weapon.' Helen Martin, Virus Bulletin.
Copyright © 2011 Virus Bulletin
The end of May marked my tenth anniversary as Editor of Virus Bulletin. In some ways it seems like only yesterday that I was cautiously taking my first steps in the anti-malware industry, yet in other ways it’s hard to believe that so much has changed in just a decade. There are a couple of things that have not changed: the warmth and friendliness of the members of this industry and the age-old debate over user education.
The importance of IT security in today’s super-connected world seems to become ever more apparent on almost a daily basis as we hear reports of the servers of multinational companies being hacked, personal data being stolen, financial losses through phishing, targeted attacks, cyber espionage and so on.
PWC’s 2011 Global State of Information Security Survey (which questioned more than 12,000 executives responsible for their organization’s IT and security investments) reported that 20% of organizations had suffered financial losses as a result of cybercrime, 15% of organizations had suffered intellectual property theft, and 14% said that their brand or reputation had been damaged as a direct result of cybercrime. Meanwhile, digital investigations firm Guidance Software found that an astonishing 64% of employees are given no instruction about IT security in the workplace.
While the perpetual debate about the efficacy of user education runs on, a clear IT security policy in the workplace, along with guidance on how to adhere to such a policy, is surely one of the most basic steps an organization can take to help safeguard its systems.
Ensuring that employees understand their responsibilities – and that they are fully aware of the ramifications for any breaches of the policy – are also important factors. It is unlikely that many end-users within an organization will have a direct interest in IT security, so an effective way to get the message across is to educate in a way that relates to their jobs and which illustrates how their actions can play a role in safeguarding the company’s assets (and ultimately their own job security).
Education at the IT administrator level is also important – in the fight against cybercrime knowledge can be a very powerful weapon. Learning events that provide solid, meaningful content from respected industry researchers can be an excellent resource for IT security admins – helping them to keep up to date with emerging issues and the latest defensive procedures. Indeed, providing such an educational forum is one of the key aims of VB’s one-day UK seminars (the second of which was run at the end of last month).
However, a big question mark remains over the education of the general public. One VB Seminar delegate asked last month: ‘What efforts are AV vendors making to provide education for the masses?’. Most (if not all) AV firms make concerted efforts to raise general awareness of the threat landscape and the need for defensive measures. Within the industry we see frenetic blogging, tweeting and issuing of white papers in an attempt to spread the security message, and we often see company spokespersons talking to the media when a big cybercrime story breaks. But could vendors put more effort into providing education for the masses – to reach those who are not likely to be perusing technology blogs on a regular basis and who are not inclined to follow the latest IT security Twitter feeds?
Could AV firms look upon education programmes for the general public in the same way as free products? A growing number of security firms now provide versions of their products that are free for home use – the purpose of which is to enhance the security of the community as a whole, while also benefiting the company in question by building trust in the brand name. If AV firms were to invest more in education at the most basic level, finding ways to capture the imagination of the masses rather than sticking to their comfort zones of the online technology pages, could they both raise their own commercial profiles as well as benefiting the community?
