Another survey points to end users as the weakest of the weak links in the IT security chain. More evidence that security training is a must -- as in mandatory -- for all employees.RSA, the security division of EMC, published a report earlier this week provocatively titled, "The Confessions Survey: Office Workers Reveal Everyday Behavior That Places Sensitive Information At Risk." RSA had an interesting methodology to its survey: it conducted 126 "person-on-the-street" interviews of office and government workers in Boston and Washington, D.C. The results should send shivers up the spines of most CIOs.

>> 63% say they sometimes or frequently send corporate documents to a personal e-mail address in order to work on them at home.

>> 52% say they sometimes or frequently access work-related e-mail via a public computer (i.e., a computer at an Internet cafe, airport kiosk, hotel, etc.).

>> 56% say they sometimes or frequently access work-related e-mail through a public wireless hotspot.

>> 65% say they sometimes or frequently leave work with a mobile device such as a laptop, smartphone, or USB flash drive that holds sensitive work-related information.

>> 8% admit to having lost a laptop, smartphone, or USB flash drive with corporate information on it.

Ouch!

While most CIOs readily agree that end-user security training is an important element in an overall security policy, few seem to feel that it is the MOST important element. That's according to InformationWeek's Information Security Survey 2007. In answer to the question, "How big an impact would security technology and policy training have on alleviating employee-based security breaches?," less than 20% of the 1,100 U.S. technology managers who participated in the survey think it would have a "significant impact." The majority, 63%, say it would have "some impact," and a surprising number, 18%, feel it would have "no impact."

An even more surprising result came in response to the question, "How often does your organization train employees on information security policies/procedures?" While more than a quarter (28%) say they train their employees in security yearly, the majority, 47%, say security training is "ad hoc," and 13% admit they never provide their employees with computer security training.

In the RSA survey, that number is even more dramatic: Almost a third (31%) of the office workers say their companies do not "provide training about the importance of following security best practices."

RSA is a computer security vendor, and it's looking to sell security products. That's fine, and more power to them. But even RSA points out that a realistic end-user security policy, strictly and proactively enforced, is a necessity in today's increasingly data-centric, data-sensitive world.

The findings of the survey underscore that the threat posed to data by well-meaning insiders -- employees, contractors, suppliers, partners, visitors, and consultants who have physical and/or logical access to organizational assets -- greatly broadens that posed by malicious insiders who deliberately leak sensitive data for personal financial gain or other criminal purposes.

Organizations can mitigate this risk by developing information-centric policies that acknowledge and align with the needs and realities of the business. Once such policies are in place, companies should constantly measure actual user behavior against established policy and use what they learn to inform smart policy changes that minimize risk and maximize business productivity. When security is as convenient as possible for end users, they are less likely to work around security policy."