End user security training is vital element of any organizations information security efforts. Unfortunately, in todays sputtering protracted economic recovery, consolidated IT departments and ever stretched budgets – it is rare. Most often I’ve seen lip service to the issue and very little action. The results of this inaction is a staff that is a weak link in your security programs. They often are the source of social engineering information leaks, corporate espionage, competitive intelligence and even clever targeted malware attacks. It boggles the mind that more organizations don’t have a required (at least) annual effort to train their employees to act with information security in mind.
In the course of a day as an information security practitioner I see it all. However nothing is so frustrating as the things that can be easily ameliorated. With a little training users wouldn’t write that accounting password on a big yellow sticky note above their desk or click on the questionable link from their long lost Ghanaian relative. They might actually understand the risks to their jobs and that of their organization. Training might make the financial risks of cybercrime real and change their behavior as a result.
In light of the risks I think the investment in end user security training is an intelligent decision that pays for itself again and again. I believe we need to make the risks and repercussions of information security real to the end user and it is only through training that we will make this happen.