Security news sites like this one often talk about the importance of user education.
Thing is, it sounds a lot easier than it actually is.
Most people want to surf, use social networking and email clients without having to think about the consequences of their behaviour. After all, isn’t it an IT person’s job to keep the company safe?
IT teams realise that, while of course an IT department has a responsibility to lock down a system as much as possible, keeping the company secure cannot negatively impact productivity. It is a difficult balance that needs to be achieved…and maintained.
So, Sophos wanted to get an idea about how much trust existed between IT and users. Last month, the company issued a survey to find out what IT staff thought on security and user attitudes.
Here are the key findings:
- Only 4% of IT staff polled trust their users
- 25% of IT staff polled fixed a security problem at least once a day
- 26% of IT staff polled said that senior management committed the worst offenses.
It is pretty clear to me that education seems to be key. Sophos’s thinking here is that many people probably aren’t even aware that there are small things they can do better ensure that their and the company’s data is safe.
Hence, the people at Sophos decided to pull together a free toolkit called IT security DOs and DON’Ts, and make it available to everyone to help promote education among users.
The download includes the following:
- Program launch guide
- Employee handbook
- Email series of 10 tips
- Poster series of 10 tips
- Online videos
- Password quick tips
- Launch announcement
And here is a video series on the toolkit that helps explain each of the tips:
Download the free IT security DOs and DON’Ts toolkit, go to www.sophos.com/staysafe. Take a look, and let us know if you find it helpful.
Image courtesy of Shutterstock
17 comments on “Only 4% of IT staff trust users: free security toolkit now available”
The link for "IT security DOs and DON'Ts" isn't correctly formatted.
thank you – now fixed
This is fantastic, thank you. I was in the middle of a (long delayed) project to create something like this on my own. You just saved me another month of work at least.
There's a spanish version planned?
When I read "Only 4% of IT staff trust users: free security toolkit now available" That the tool kit would help IT staff trust users, not help users be trustworthy.
1. The password information does not go nearly far enough. The suggestions used (;like “|<n0tmyP3n$il) may be too difficult to remember for many people. There is no suggestion of using songs – especially helpful to people who have had a brain injury since the songs tend to be remembered easier.
2. Although 10 characters is good, it should say something like "longer passwords of 15 characters or more are even better".
3. Since the keyboard pattern "qwe…" is frequently among the most common passwords, that should be used as an example.
4. Also they should know that city names like S@nFrancisc0 are not good since they are well known words/phrases and only have a simple substitution. (there's also a hacker's disctionary with the name of every city in the U.S. that has a zip code.
You're looking at the problem in the wrong way. To change behavior, you have to understand what motivates people and engage them on a different level using skills like Emotional Intelligence and an understanding of neuroscience. Otherwise, it's just about a checkbox for a compliance audit. More disengaged training "kits" won't actually change user habits. If you read some of the educational research and new techniques being implemented in the university classroom, you'll find that the IT training is decades behind.
My instinct says you're right but I have no expertise in this area. Would you mind elaborating a little?
I started following you guys on facebook when I became the de facto IT guy at an 10 person office for a booking company.
I'm always sharing your blog posts and this package has made my life so much easier.
On the flip side, some of us know more than the IT"s at our companies about the system we are using. Laugh if you wish, but t is true. In my experience, IT staff tends to be know-it-all and not willing to accept a good legit fix unless they think of it. Sorry Charlie.
When i worked for a hospital in the IT dept. We NEVER trusted the users throughout the hospital. The repeat offenders of problems we installed VNC onto the machines to check up on what they were doing so we could prevent a possible problem. In the end we gave all the staff a USB key and if they wanted work kept they had to save it to there. We ended up ghosting all the machines to save time on reinstalls after users thought it would be a great idea to save space by removing files they were not sure of… Mainly system files.
The hospital should have fired all of the incompetent IT staff.
Thank you so much!
I am ITstauff/Librarian at a public library and Sophos toolkit have a simple tips for all librarians in my library.
I am a user who ‘gets’ security. If I need to tell IT my password they seem pretty happy and surprised. But I lose respect for IT when I am automatically spoken to as if I could never, as a user, have any kind of clue.
Just sometimes I show the lack of respect by answering ‘disrespectful’ questions in strange ways. IT come over in person when you tell them how hard you had to work to open that dodgy attachment. They also love it when you fixed your slow PC by deleting all kinds of system files.
Be aware that some of us do have a clue, talk to everyone as if they deserve respect. Educating users is always a good step in this direction.
Education is all well and good but unfortunately some people are just not receptive to it.
IT Departments scream about not clicking links and attachments on unsolicited email but still users ignore the warnings do it and find themselves the victims of a nasty trojan or bit of malware that we have to clean up.
Some users will listen nod their heads and agree when you talk about these things but it will all too often go in one ear and out of the other and they carry on doing what they always did.
Senior management will always be the worst offenders because they expect god access and don't ask the minions for help as it makes them look like they don't know what they are doing.
IT Departments don't trust users and there is good reason for it.
Why put this on your site instead of a peer-reviewed one? Or getsafeonline?
If you know all of Microsoft Office, thats fine. But in the IT dept. theres more than just remembering how to create dropdown boxes in Excel. And if your IT dept. thinks that they know it all then they are going about it the wrong way.
The other posters have said what is 90% true. Users will smile in your face when you explain something to them or fix something and LITERALLY the next day have another virus on their computer. Word to users out there: We're not telling you to not check that site to be mean to you, or to "make me into a drone". We're doing it so your computer doesn't get infected. But these posts will go unread because how many of those users even check sophos.com routinely?