At one of the round-table sessions at Message05 in London last month, there was an interesting discussion about the role of user education vs technology in the context of how much money organisations should spend on one vs. the other as a means of making e-mail systems and networks more secure.
The consensus of the roundtable participants was that there is more to be gained from spending more on education than on technology. On balance, I tend to agree with this notion for a couple of reasons:
* First, despite the fact that it takes a substantial investment to protect an e-mail system and the rest of a corporate network from the growing array of threats that face it, the actual cost on a per-user basis is really not all that high. For example, deploying and maintaining good anti-virus, anti-spam, content filtering, IM protection and other systems will typically cost a large organisation anywhere from £15 to £60 per user initially, with system maintenance costs running less than that on an ongoing basis. User education, on the other hand, can be more expensive when you consider the cost of training classes, the production of educational aids designed to remind users about corporate policies, the cost of productivity from training, etc.
* Human beings tend to be less reliable as safeguards of corporate network security than are systems. Employees rushing to meet a deadline might forget to check a file for viruses that they bring in from home, or they might install a consumer IM client on their work PC, not realising the danger to which they have exposed their corporate network. Plus, given that turnover at most companies is reasonably consistent, there is the constant need to train new employees about corporate policies and best practices.