Staff remain the weakest link for IT security

By Matt Whipp

Posted on 6 Aug 2004 at 12:53

Small businesses in the UK blame staff for their IT security woes, according to a survey from the Institute of Directors and McAfee.

50 per cent of those surveyed considered their employees were to blame for the damage caused by virus infections. Although three quarters say they have security policies in place, two thirds of them don't believe their employees pay any heed to these policies.

In short, they've told their staff what they should and shouldn't do, and if they ignore the policy and do things such as open attachments they're not sure of or download programs off the Net, then virus infections and so on are their fault.

Sal Viveros, SMB director for McAfee, 'SMBs still say employees are responsible, but they don't have the technology in place to enforce their security policies. They need to take control out of users' hands.'

The survey polled 1,240 senior level managers and directors from UK companies with predominantly 250 staff or less between May and June of this year.

While three-quarters said they knew they weren't doing enough and that a centrally managed and multilayered approach is necessary to address the constantly evolving threat, at the same time less than a quarter said they were actively seeking to embrace this.

'It's important to really start educating SMBs in the UK. They're not really reading the IT press to find out about the kinds of threats that are out there,' said Viveros.

'This year there has been a huge growth in viruses, both in numbers and sophistication. In the first quarter of this year there were more viruses reported than in the whole of 2003.'

61 per cent of the companies polled said they had been subject to downtime, data-loss or other network problems following virus attacks, with three quarters saying virus attacks were the biggest threat.

The vast majority had antivirus software on the desktop and server, as well as a firewall. But less than half had employed anti-spam, and little more than a fifth used encryption and intrusion prevention systems.

44 per cent of those polled didn't believe it is essential to invest in technology that stops attacks before they cause problems. And 43 per cent said they didn't plan to invest in Intrusion Prevention systems or said that other security investments take priority.

'One of the problems is that SMBs often don't see technology as an enabler,' said Viveros. 'They are concerned about the cost and complexity of IT security and understandably view it as a risk/reward business decision. If they are faced with the choice of spending on security or sales people that will bring in more revenue, they'll need to consider what's a realistic trade off. So it's important they see the benefits of surfing safely and communicating effectively that good security brings.'

As negative as these results seem, Viveros said that at least anecdotally, they were a vast improvement over the state of SMB security even six months ago when the most of his efforts were going into market education around what intrusion prevention systems, policy enforcement suites and other security products actually do.

For more information, visit the McAfee SMB website.