User Education
Many organizations are looking beyond technical fixes to tackle insider abuse. Glen Carson, information security officer for California's Victim Compensation and Govern-ment Claims Board, says the problem stems more from a lack of user education than poor authentication.
His priority is education: explaining to the 350 users in his agency why data security is important and how it will help them in the long run.
"We recently completed a third-party security assessment and got a good test of our exterior shell, but internally our controls were lacking," he says. "Sticky notes with passwords were found on monitors and in desk areas, in scripts and unprotected source code. People just need help knowing what needs to be done and why."
Carson, who joined the board earlier this year, is building its first formal information security program from the ground up. As the entire infosecurity department, Carson says he needs all the help he can get.
"The best way I know that I can get everybody to help is through education," he says.
Educating end users--which more than 43 percent of survey respondents say will be very important for their organizations next year--is a big part of the security process at USG, a Fortune 500 building products company.
