UK workers in the dark over IT security

Companies are leaving themselves open to security breaches because their IT security training is woefully inadequate, new research has revealed.

Three-quarters of staff in the UK admit that they have never received any formal training from their employer on how to use the internet and email at work in a way that minimises network security problems.

The study, conducted by NOP on behalf of email monitoring software company SurfControl, also found that, while 80 per cent of staff said that they were concerned about virus risks when they use the internet or email at work, they are ill-equipped to identify and deal with potential threats.

Martino Corbelli, marketing director at SurfControl, warned that the findings should act as a wake up call to companies.

"As a communication tool, email is fantastic and the internet is a massive 'empowerer', but it can be a massive disruption," he said.

"There is a halfway house between employers giving staff the tools, and explaining to them how they should be used."

And with corporate reputation and jobs at risk, Corbelli stressed that failing to invest in training is a false economy.

SurfControl is urging companies to include IT security training as part of an induction course for new employees which should be reintroduced every six months to keep staff updated.

Spam accounts for around 10 per cent of emails sent every day, and is predicted to rise to 40 per cent by 2005, according to analyst Meta Group.

Friendly unsolicited mail, such as jokes forwarded by colleagues, is no less of a problem.

Sixty per cent of employees will open an email even when the subject line makes it clear that the content is inappropriate, and 42 per cent of IT staff will forward an email containing inappropriate content, according to SurfControl.

"Everything we send or receive in electronic format is a potential risk. Companies have to use some common sense," said Corbelli.

Chris McNab, technical director at security consultants Matta Security, is to run security awareness courses for end users starting in January.

"Companies are spending a lot of money on IT security but, unless staff can identify the tell-tale signs of viruses and know what they should do about them, it is a waste of money and could compromise security."

And social engineering methods being used by hackers, including contacting users and simply asking for user names and passwords, mean that raising awareness throughout the company is crucial, McNab said.

Free advice on writing an email, acceptable use policies and guidelines on using email in the workplace can be downloaded from the SurfControl website here.