As a prank, Moore rewrote some code for the company's IBM mainframe to allow him to send anonymous messages to co-workers. But his joke inadvertently resulted in his message being inserted into a sales forecast report, which was about to be presented by a Genesco vice president.
Security technology may be getting more sophisticated, but that doesn't mean employees are--and they're often the last line of defense against viruses and other potentially costly security threats.
As Symantec CEO John Thompson puts it, a lock is useless if you don't lock it. He and others suggest that companies get appropriate policies and training programs in place, rather than simply relying on software.
Genesco was ahead of its time in offering information-security training to its rank-and-file workers. And even today, security experts say very little is being done to educate employees on antivirus techniques and company policies relating to information security.
"People are the weakest link," said Chris Pick, vice president of market strategy at security and systems-management company NetIQ and co-founder of Human Firewall, an educational and informational Web site now operated by the Information Systems Security Association, or ISSA. "Education is the first line of defense."
But apparently not many companies are following that playbook.
Last year, the Human Firewall Security Awareness Index Survey found that 48 percent of the companies participating in the survey had never provided formal security training for their work force, Pick said. And of those companies that had, only 15 percent had provided such training in the previous six months. The National Cyber Security Partnership seems to be aware of the problem too. In March, the group more security education.
PC users are frequently pinpointed at the weakest link in the security chain. A recent survey of developers conducted by Evans Data, a market intelligence firm, found that one in four believed that biggest barrier to computer security is users refusing to follow policies. Nearly one in 10 developers thought security solutions were too complex for the average user.
The lack of an informed work force can be costly for a company, since technology can only go so far in protecting a network, security experts said.
What you don't know, can hurt you
"Unfortunately, people are still not thinking before opening an (e-mail) attachment. Every time a new virus comes out, people go out and do the same thing they shouldn't be doing," said Mike Breth, IT audit manager for the Westfield Group, an insurance and financial services company.
Regulations around, such as the , and financial reporting measures, such as the , are also raising the stakes for corporations. As a result of these regulations, companies need to keep their customers' information, as well as their financial reporting material, under tight security.
"In the last 30 or 40 years that we've had computers, there have not been any great strides in making employees aware of the importance of security," Moore said.
Companies are increasingly becoming aware of the problems security breaches and viruses can bring, but few are devoting dollars to educating the work force--the last gatekeepers.
"Very few companies do this, because they don't see how it adds to the bottom line," Moore said, noting that if money is spent, it's often for security-related technology. "Symantec and other vendors have very good products like firewall and intrusion-detection software, but these are only addressing the technical problem."
, which also sells an off-the-shelf Web-based security training program for employees, finds that prospective customers will cite budget constraints when declining to purchase the training program, or they will buy the company's security products but not the training.
, chief executive of security software provider Symantec, has been a longtime advocate of companies developing corporate policies on security issues. He notes that technology alone can't keep companies secure.
"Security is a process, and while technologies are important to facilitate the process, the technology itself does not ensure that you are secure," Thompson said. "A case in point: There is a technology, a simple technology associated with securing your house, it's called a lock. But if you, a user, do not facilitate the process, or lock the door when you walk out of your house, having the technology installed is of no value. And so the process starts with first having you be aware of how you secure your home, what threats you need to protect yourself from."
Thompson said that given a fixed budget, companies should first invest in a corporate security policy and staff training, before purchasing security products.
Leading a horse to water
Some companies, however, have taken the initiative to educate their work force, beyond having a security policy in an employee manual or posted on an internal Web site.
Historically, companies have viewed the issue of security and antivirus protection as a problem for their IT departments. And employees at these companies have held a similar view, said IT managers and security officers.
But the tide seems to be turning, even among employees.
"Employees are now concerned with who has access to their data and are also asking questions about whether our backup tapes are adequate," said Breth. "Now they're taking ownership of the data and making sure it's secure, rather than just saying it's the IT department's problem."
Breth noted the new privacy regulations are helping to drive the increase in employee awareness and participation.
Westfield's chief executive has also brought up the issue of IT security during the past two companywide meetings, and that has helpedon the issue, Breth added.
"Over the past six months, the level of communication we've had with employees has ramped up, and people are being told about the role they play in keeping the whole company secure," Breth said. "Instead of a printed policy inside our employee manual that they read on their first day but then it sits on the shelf, we're now e-mailing people our policy, and they're hearing about it at our quarterly meetings."
Westfield is also supplying its employees with frequent security and antivirus tips that go beyond avoiding unsolicited e-mail attachments.
Convergys, meanwhile, posts a security newsletter on its intranet every two weeks, displays security-related posters throughout the workplace and is currently working on making some of its security and antivirus training mandatory, as well as requiring some familiarity with the company's security policy as part of the annual review process, Moore said.
"The big problem with educating employees on security issues is being able to track whether you're getting through to people," Moore lamented. "Everyone knows about viruses, for example, but half the people don't have antivirus software. They're the ones who become the (spam) zombies and infect the entire human race."