Most companies assign their own Tech Support Department to train company employees in matters of IT security, rather than hiring outside IT consultants or asking the HR Department or Employee Development Department to commission IT security professionals, according to experts at B2B International. B2B International recently collaborated with Kaspersky Lab to conduct the Global Corporate IT Security Risks 2013 survey among companies located all over the world, including South Africa.
Effective IT security training for employees is a key component of any strategy to combat cyber threats – according to the survey, four out of five of the most common internal security incidents recorded in the past 12 months were directly linked to staff actions. The figures for South Africa show that:
- 24 of respondents reported accidental leakages of confidential data
- 36% of respondents reported employees losing corporate mobile devices with critical data stored on them
- 14% of companies encountered intentional staff-facilitated data leakages
- 20% of companies had dealt with incidents when confidential data got into the wrong hands due to the improper use of mobile devices (via a mobile email client, text messages, etc.)
Time and again, research shows that unintentional staff errors are behind a significant proportion of critical data leaks and IT security incidents. The key to addressing this challenge lies in ensuring that end users are adequately informed of IT security risks – and how best to avoid them.
While this clearly illustrates the importance of employee education in IT security, the question remains: who exactly should provide that training?
As B2B International’s experts determined, most companies believe that an organisation’s in-house IT Department should train company employees in IT security matters — even though staff education is not one of the key functions of an IT Department. This additional workload affects performance: respondents noted that IT Departments have other important tasks and typically do not have time to educate their co-workers. Obviously, this can have a negative impact on the quality of training. A better outcome can be delivered by commissioning a third-party IT consultant with the requisite training expertise. However, only 11% of respondents in South Africa reported having done so.
The HR Department is involved in employee training at 13% of the companies that took part in the survey. A similar number of companies delegate this matter to an Employee Training and Development Department. Roughly 3% of respondents reported that they commission an outside corporate training provider.
These figures are more or less the same across regions, with some minor differences: for example, the highest percentage of companies assigning IT security training to their in-house IT Departments are located in the Middle East (73%), Japan (72%), and North America (71%); while organisations in South America (65%), South Africa (61%) and Eastern Europe (57%) do so less often. External IT consultants are most often hired to train company employees in South Africa (11%) and Asia-Pacific, similar to Eastern Europe and the Middle East (both 11%).
In general, the importance of employee education in IT security is acknowledged by the overwhelming majority of companies — only 3% of survey respondents in South Africa stated that their companies do not train their staff in IT security at all. However, the quality of corporate education is open to question; after all, employee awareness about cyber threats has a direct impact on the extent to which a company’s IT security policies are followed and, as a result, on the overall degree to which a company is protected against cyber threats. Presently, in South Africa approximately 60% of survey participants indicated that company employees do not always respect or diligently adhere to corporate IT security rules. This is relatively high compared to the global statistic which is 39%.
Education: one component of a broader security strategy
Incidentally, no matter how alert and well-informed the staff, the risk of a successful cyber-attack against a company remains high, and the use of advanced corporate IT infrastructure security solutions is critical.
Kaspersky Lab’s new flagship corporate solution, Kaspersky Endpoint Security for Business — in addition to providing reliable protection against malicious programmes, network attacks, targeted attacks, spam, and phishing — also includes a number of functions facilitating the effective management of a corporation’s IT infrastructure. Kaspersky Endpoint Security for Business helps to maintain an inventory of workstations, promptly update installed software, manage and limit access rights to different components of the IT infrastructure, set up and oversee the enforcement of security policies, encrypt confidential data (for example, if a corporate device was lost or stolen), and can also be used to perform several other operations necessary to ensure that a corporation enjoys a high level of IT security.
There is one more technology offered in Kaspersky Endpoint Security for Business that works to prevent incidents stemming from employee errors: Dynamic Whitelisting. This technology prevents malware from launching. Whitelisting solutions are based on the programme’s own database of trusted applications, and permit the operating system to launch only those programmes included in the Whitelist database. This makes it extremely difficult to launch a successful attack against a company even with highly complex malicious programmes that might not yet even be known to antivirus solutions.
At the same time, it is crucial that the Whitelisting database in the solution is large enough to encompass the maximum number of applications used by a company without creating problems for legitimate programmes. For example, Kaspersky Lab’s Dynamic Whitelisting database currently contains over 700 million unique files, and is regularly updated with new files. The results of independent testing of this solution earlier this year have shown that this database size is sufficient for maintaining effective protection. Kaspersky Lab’s solution underwent all tests without producing even one false positive, and was capable of detecting almost 100% of files found in applications commonly used by corporations and home users. B2B International’s study has shown that Whitelisting solutions are among the measures most frequently taken by companies to protect their IT infrastructures: nearly 48% of respondents noted that their organisations use these solutions. This represents a significant change from last year, when Whitelisting solutions were rarely used, if at all.
Kaspersky Endpoint Security for Business can also be integrated with Kaspersky Lab’s other specialised solutions. These include corporate mobile device security and management solutions, such as Kaspersky Security for Mobile, solutions protecting virtual servers, and a number of other products that help protect even the most complex and atypical corporate IT infrastructures.