A study from the US IT trade body CompTIA reveals that a minority of companies (and in the current economic turmoil a decreasing number) have given IT security training to their non IT staff.
Whilst any study from a trade body should be treated with a little caution, this one stands up. Here in the UK it seems to be pretty rare amongst medium to large companies to see any user-community focussed IT security training - which is interesting, as this end-users are probably the portal through which most viruses, trojans and losses of password cases arise.
The situation has been made worse in the past few years by the advent of cheap laptops, wireless access at home (often badly set-up), a profusion of mobile devices, public wireless networks, USB menory devices and more. Most users simply trust they are OK. I wonder how many corporate laptops get used at home on a personal network connection, and on public Wi-Fi networks?
The study shows the the biggest hit from security breaches is to the end-user themselves (33% of security breaches) - i.e., loss of their laptop or other service, and then the loss of productivity that comes from that. Further down the scale (19% of security breaches), but still with significant effect, are effects to corporate services and networks.
A little advice about safe surfing and safe use may pay more dividends than an emphasis on technology and control for preventing security breaches.
Banks are the Same (Mostly)
UK Banks are an example of this when it comes to on-line banking - spending vast sums on server and corporate-side security whilst the personal and small business customer has to sort the other end of the connection, the home or business computer, themselves with wildly varying success. Read the terms and conditions (the smallprint) of your on-line banking provider - you'll find the responsibility is pushed firmly onto you as a consumer, with little in the way of support.
However, one bank does deserve an honourable mention - RBS Group. RBS introduced a system over a year ago that extended the ridiculous and overused password system used by most banks with a requirement to enter a password but then to use something that you possess - a device and a card. Without this, you can't transfer funds and drain an account - meaning even if you suffer a password loss through spyware, the damage that can be inflicted on you is limited.
RBS have gone one better now with the launch of something called Raport. This product is basically there to step in and make the connection between your machine and the bank less vulnerable to malware - and it's offered for free.
I expect other banks will follows the RBS line in the coming year. I also think there is every possibility that they'll start to take more interest in customer computer security in the near future.