Bruce Schneier found this study of the nature of the insider threat as reported by The Register. Two of the points jump out at me:
- Two thirds (62 per cent) of those quizzed admitted they have a very limited knowledge of IT Security.
- More than half (51 per cent) of those polled had no idea how to update the anti-virus protection on their company PC.
Taking the second item first, that half of those polled have no idea how to update their anti-virus protection. My question is, why should they know? Given that a security system is as good as its weakest link and that time and time again users are that weakest link, it seems to me functions like this have to be taken out of end-users’ hands. Making end-users responsible for their the security administrator of their IT assets is a recipe for disaster. Security and identity management solutions, in order to be effective, have to be invisible from the end-user perspective. Like my Mac… they should just work. Despite what a lot of companies think, the majority of users out there are not computer savvy. They treat computers as a necessary tool, not unlike how people treat cars. They get you from point A to point B and you don’t have to know how they work to drive them. Computers get my draft budget up to finance and then my group gets money next year; I don’t want to know how the virus scanner peeks through my inbox looking for bad things. It is irresponsible to put the administration of security and identity management products on the end-user community. Yes, I know that the IT department is understaffed and overworked. Vendors know this too. IT departments have to hold their vendors more accountable. Demand easier to install and maintain solutions. Search out products that do not put the administrative onus on the end-user.
what others say