Companies that don’t provide security training to their employees are leaving open pathways into their corporate networks, according to a recent survey.
Customers are well aware of the threats they face from viruses and worms, but a survey of some 550 small and midsize businesses found that human error was the primary cause of nearly 60 percent of security breaches during the past year, said Brian McCarthy, COO of the Computing Technology Industry Association (CompTIA), Oakbrook Terrace, Ill., which sponsored the study.
“The alarming part is that little is being done to change cultural behavior,” McCarthy said. “End-user awareness [of security issues] is a big problem in companies. Organizations that provide security training to employees will see ROI.”
Brian Haboush, vice president of business development at Intelligent Connections, a Royal Oak, Mich.-based solution provider, agreed. “We find the biggest vulnerability in corporate networks to be caused by misconfiguration of equipment due to lack of training,” he said. Haboush sees increasing demand for security training and is expanding his training offerings for IT staff and for the executive ranks.
Most of the flaws that emerge in the security and vulnerability assessment realm are due to misconfigurations and poor application of corporate security practices, which points to a need for training, said Paul Rohmeyer, a professor at Stevens Institute of Technology, Hoboken, N.J., and former COO of North Brunswick, N.J.-based security solution provider Icons.
VARs should include security training in the solutions they offer to help companies effect cultural change and minimize human error, McCarthy added. “There are opportunities to bring a training solution into the equation to make sure products they have installed are fully realized,” he said.