Pitney Bowes, the company that once was in the uncomplicated business of supplying postage meters is now a $4.6 billion (in revenues) mail-and-document-management specialist. Yet despite an array of state-of-the-art firewalls, software, and encryption algorithms to fend off network invaders, the company has come to a rather startling conclusion. "An employee culture about security is just as important as security software — if not more so," maintains chief financial officer Bruce Nolop.
At many U.S. companies, the trail of destruction left by denial-of- service worms, Trojan-horse scripts, and E-mail viruses has driven home a simple point: human error can undo almost any firewall or safeguard. Chris Byrnes, a research director at tech consultancy The Meta Group, believes using technology to combat technology is only 20 percent of the solution. "If you look at the most common [computer] security failure in Corporate America today," says Byrnes, "it's the employee who clicks on an attachment in an E-mail that infects his machine that then infects the entire corporate network."
Patching that vulnerability has become a top priority of late for many companies. In some cases, the fixes are remarkably simple. For example, a few senior managers, spooked by "malware" that targets vulnerabilities in Microsoft's Internet Explorer, now advise employees to use browsers that are less attractive to virus writers. Still others have formulated companywide policies for computer-security procedures, fining workers who fail to follow the rules.
More effective yet, a few corporations have begun to enroll employees in security-awareness training programs — and then test those workers to see if the lessons have been absorbed. Says Richard Mogull, research director at technology research firm Gartner: "You want to turn your employees into security assets, not security liabilities." (For more, read CFO magazine's October 2004 article "The Enemy Within.")