Security training effective, survey says

Federal agencies are spending more money to train more employees than ever, but the majority of feds are not familiar with the Federal Information Security Management Act.In a new survey by SecureInfo, 65 percent of respondents had not heard of the congressionally mandated information security law, and 40 percent of those who had heard of FISMA said it is a compliance headache. The company interviewed 85 civilian and Defense Department employees about their opinions of FISMA and whether it is making a difference.Because of the recent focus on training and security, agencies are more secure than ever, according to 68 percent of respondents, and 63 percent said their agencies are more secure today than a year ago.“Based on the survey, I do believe the government is more secure because of things such as two-factor authentication and the rollout of Homeland Security Presidential Directive 12,” said Christopher Fountain, SecureInfo’s president and chief executive officer. “A lot of things have been coming out [that] are important, and National Institute of Standards and Technology guidance and other publications talk about the people factor.”“The clear problem is [that] most users are well meaning, and a very innocent act can create significant vulnerability. And a wide variety of acts like improperly handling backup data and a laptop being misplaced cause security breaches,” he said. “The question to us is if all this money is being spent on training, why are these incidents increasing?”Ninety-two percent of respondents said they had received training in information technology security at least once in the previous 12 months. According to the Office of Management and Budget’s FISMA report to Congress, agencies spent more than $74 million on training in fiscal 2006.Fountain said the best training involves penetration testing in which a private-sector company tries to break into the agency’s network via phishing or hacking.“Agencies may need to increase their spending and the frequency of training or have other programs behind the training to ensure [employees] take it to heart,” Fountain said.