According to the InformationWeek Global Information Security Survey, fielded by PricewaterhouseCoopers, only 27% of U.S. companies have conducted security training for system and network administrators. That statistic is only slightly better than the one in four companies around the globe (the study reached 8,100 people in 50 countries) that have conducted such training.
Though many small companies, those with annual revenue up to $50 million, have focused their spending on deploying security applications, only 18% say they've invested in security training. Midsize companies, with annual revenue of $50 million up to $500 million, fare slightly better, at 26%. Large companies, with revenue of $500 million or more, do better still, with 35%.
"This shows that most companies still view security as something you buy, such as firewalls and antivirus, and forget about," says Lloyd Hession, chief security officer at Radianz, which runs a network for the financial-services industry.
The numbers support Hession's observation: 82% of companies have bought antivirus software and 78% network firewalls, but only 22% of companies have an employee security-awareness campaign and only 13% have user security training classes.
There may be better news ahead: 67% of U.S. companies say raising user awareness, and 55% say training staff about security are both key organizational priorities in the next 12 months.
How does your company value information-security training? Let us know at the address below.
George V. Hulme
Has your company taken steps to raise employee awareness of security policies, procedures, and technical standards since last Sept. 11?
Training network or systems administrators isn't the way most companies are protecting their information systems. But the events of Sept. 11 have spurred businesses to increase employee awareness across a range of security concerns. Of the 2,956 U.S. sites that participated in our survey, almost three-quarters report taking steps to increase employee security awareness in the past 12 months.
Separate, Not Combined
Has your company increased collaboration among physical-security and information-security personnel since Sept. 11?
It takes more than technical procedures and policies to shore up security holes. Surprisingly, few companies are striving to improve defenses by breaking down the walls between managers tasked with physical security and those tasked with information security. Less than 30% of U.S. sites in this year's Global Information Security Survey have increased collaboration between physical and information security since Sept. 11, 2001, indicating that companies view each field as distinct components of corporate security and not as part of an overall solution.
Go It Alone
Has your company hired security consultants to help defend against new forms of information-security breaches in the past 12 months?
It's not surprising that few companies, regardless of geographic location, are relying on security consultants to fend off information-security attacks. Full disclosure is necessary if these relationships are to prove beneficial. Clearly, many managers who pass on these engagements are worried that ironclad legal agreements won't ensure their privacy. So it stands to reason that 88% of companies internationally and 89% of U.S. businesses keep security planning in-house.
Will monitoring user compliance of security policies be a priority for your company in the next 12 months?
Establishing company security policy is relatively straightforward. Making sure employees stay true to these rules is an entirely different matter. Companies in the United States have worked hard to increase employee awareness of security procedures, but most aren't demanding compliance or monitoring employee adherence to these security policies.