T 2.103 Insufficient training of employees

IT users of all kinds often do not receive enough training in the operation of the IT systems they use. Unfortunately, this also often applies to administrators as well as those providing user support. Expensive systems and applications are frequently purchased without providing enough resources, if any at all, to train the IT users.

This can lead to serious security problems in case of unintentional user errors, incorrect configurations, and unsuitable operating resources. In many cases, users will not use a recently installed security program because they do not know how to operate it and learning how to use it by themselves parallel to their daily work routine is often considered to be too time-consuming. For this reason, it is not enough by any means just to purchase and install the security software.

Examples:

• An unknown error message appeared on the screen while a user was entering data. Since clicking "OK" for error messages had never caused any damage so far, the user also selected "OK" this time. However, this time it caused the system to shut down and a loss of all data entered up until then as a consequence.
• An expensive firewall system was purchased. The administrator of another IT system was appointed to be the administrator of this firewall system. Since this person was considered indispensable and all available funds were used to purchase the system, he did not receive any training on the operation of the system platform or on the type of firewall used. Requests for external seminars were rejected due to a lack of funds, and the organisation did not even purchase any additional manuals. Two months after starting operation of the firewall system, it was discovered that internal systems were freely accessible from the Internet due to the incorrect configuration of the firewall.
• A company was preparing to migrate to a new operating system. The employee responsible for this had expert knowledge of the platform used up until then, but was not familiar with new systems being discussed and was not provided with the corresponding training either. For this reason, he visited some free events held by a manufacturer, whose products he then favoured. This resulted in a poor and costly decision to introduce an unsuitable product.
• In order to use the Internet during business trips, personnel firewalls were installed on the notebooks of the employees. The employees were not trained as to how to adjust the settings of the firewall to meet their needs. As a consequence, many employees then disabled the firewall so they could visit any Internet site they needed without any problems. The result was that many of the computers were infected with malware after just a few weeks. In addition to losing data, the organisation's image was also seriously damaged because e-mails containing malware were sent by the organisation to its customers.