Society - Written by on Tuesday, February 23, 2010 12:17 - 0 Comments

Tim Bevins
Security, security, security…

Employees are the weak link in security. Everyone knows that, right? You just cannot trust them not to open phishing emails and click on links that take them to bad places and allow intruders access to corporate stuff.

If only there were tools to find out which employees are susceptible to phishing and other scams that masquerade as legitimate email?

There are such tools including at least one product that lets IT send fake phishing emails to employees to test their awareness of and adherence to IT policies. Such products enable IT to find out who the security weak links are among employees.

Security breaches of the humongous kind get very bad press and agitate people and government regulators, but many smaller and unpublicized potential intrusions are foiled everyday; criminals and others test the security of companies, governments, and individuals all the time.

So what is my point? Call me incredibly naïve, but the effects of outing the weak security links among employees may not all be positive. For IT, testing individual employees for security awareness can help close holes in security. For the employees who fail and even those who do not, the fact of testing can remind all employees of IT policies and of the consequences of opening email from unknown sources or clicking on links. It will make them more skeptical, which is probably a good thing when it comes to corporate network security.

It also may have other effects. It may make them resentful of IT for duping them, may harm morale and affect engagement, and may, in particular, turn off younger employees, who may well post their disaffection on social network sites, or Twitter or even via text messaging, which can make it very hard for the company to find out. Recent research by Accenture among Millennials – the Gen Ys in your workforce – reveals that 45% of employed Millennials use social networking sites at work and about half say they have accessed “online collaborative tools, online applications, and open source technologies” from free public sites at work when the tools provided by the employer are either inadequate or missing. Furthermore, 66% of Millennial employees say they do not abide by corporate IT policies, some because they are unaware of those policies, some because they claim the policies are either not published or too complex. They clearly have a very different attitude towards security than other employees.

I am not advocating that IT tune its policies to the wants and desires of Millennials, or that it stop testing for security holes, but rather that it be aware of the consequences of surreptitiously checking up on specific employees. Testing security all the time is important; testing individual employees for compliance may be counterproductive, especially among the youngest employees.

What’s your view?



Comments are closed.

Now available in paperback!
Don Tapscott and Anthony D. William's latest collaboration, Macrowikinomics: New Solutions for a Connected Planet. Learn more.

Business - Oct 5, 2010 12:00 - 0 Comments

DRM and us

More In Business


Entertainment - Aug 3, 2010 13:14 - 2 Comments

Want to see the future? Look to the games

More In Entertainment


Society - Aug 6, 2010 8:19 - 4 Comments

The Empire strikes a light

More In Society