There is an old saying in the security world stating that people are the weakest link in the security chain. Here is a bit of data that reinforces this ancient security adage.
ESG Research recently conducted a project focused on confidential data security that will be published soon. However, here are some interesting advance results that support this venerable security dictum. ESG asked 308 North American and European security professionals from large organizations (i.e. 1,000 employees or more) a number of questions about data security risks, policies, and technology safeguards. When asked to define the most important measures for protecting confidential data, nearly half of all respondents said, "communicating and training users on confidential data security policies." This was the top response followed by, "physical security," and "access controls for private data."
Now here's the scary part. When asked to rate their organizations performance with regard to, "communicating and training users on confidential data security policies," more than one-fourth of security professionals gave their organization a rating of either "fair" or "poor." In other words, many organizations aren't doing a good job in the most important aspect related to data privacy and security-communicating and training employees. Yikes!
This problem appears to be more acute in Europe than North America. In North America, "only" 24 percent of security professionals responded either "fair" or "poor," while in Europe, the number increased to 38 percent. The problem is also more pronounced in the public sector where 34 percent of security professionals gave their organization a "fair" or "poor" rating. Finally, there is also a correlation with organizational size as larger firms do a better job at "communicating and training users on confidential data security policies" than smaller ones.
To me, the message is clear and frightening. The "people" part of information security (i.e. the most important part) is being minimized or managed very poorly. No wonder there are so many breaches! If this problem isn't addressed, we may as well give up. You could invest $1 billion in security technologies but if your people don't know about or understand the problem, you may as well leave the corporate networks wide open.