MessageLabs have recently published research into IT security that highlights that small firms are being increasingly targeted by hackers. Their research was based on the insights of close on 1,000 US and UK IT decision makers.
I find this worrying since many of our clients fall into the small-to-medium enterprise (SME) sector and my own experience as a consultant shows that the managers of such firms often believe they are unlikely to be targeted.
MessageLabs research suggests that only 53% of small business actually have the right security measures in place (compared to 69% for larger organisations).
Their research also shows that junior (aged 26-35) tech-savvy staff (particularly those in sales) using instant messaging, email, the Web and other recent technologies, are the worst culprits.
This reflects the experience of Revell Research Systems. Young, tech-savvy staff often seem to be less aware or less concerned about the security implications of their actions. It is, perhaps, due to their familiarity with technology at home and from their earlier education that leads to this attitude. Such staff are often very goal-oriented and are frequently unhappy when potentially dangerous technologies are blocked or curtailed for security reasons, especially when they see their use of the technology as being totally legitimate.
I believe that part of the blame for this culture rests with IT departments. That might be an unpopular thing to say, but many departments are very poor at communicating important issues to their colleagues in the rest of the organisation. They often come across as "carping on" about issues, which in my experience often leads to a defensive stand-off, which doesn't actually solve the issue.
IT departments are often portrayed as being the "brakes" to initiatives suggested by tech-savvy staff. The problem is that IT departments often say "no" to new and untested technologies (for very good reasons), but fail to assuage those proposing them. I suspect time is taken to explain why IT is against the use of the technology, but no attempt is made to help work around the business issue that led to the proposal in the first place. There are frequently more mature alternatives that IT departments could propose and consequently act as an enabler rather than an inhibitor to innovation.
I also think generally that IT staff need to be equally focused on the technical and the human aspects of the problems they are trying to resolve. IT departments often take prescriptive and even confrontational approaches to issues (ie: do this because I say so) when they would be better served by adopting more catalytic intervention styles in their work. I find that this approach generally leads to fewer issues with end-users and problems with tech-savvy staff become opportunities to spread good practice amongst their less technically competent colleagues.