Should all your staff have a security qualification?

Can you afford not to educate them?

A leading IT training organisation is urging companies to train all their staff to a basic and certified level of understanding in IT security.

The intention is that employees in all roles, whose behaviour typically undermines the best technical efforts to secure the enterprise, will begin to understand the role they must play in protecting the business.

Many companies would argue they already educate staff on such issues, through the inclusion of email and internet usage policies in company handbooks or in staff contracts, but Rob Chapman, founder of the Training Camp, the latest company to offer training for non-IT staff, argues such measures are now little more than a worthless gesture towards responsible risk management.

Chapman said: "The problem here is that companies get people to sign up to a policy on day one but they don't educate them on how to adhere to that policy.

"Staff may be naïve and they may make a serious mistake that brings a company to its knees but in a lot of cases you can't really blame somebody for doing something if they've never been taught properly."

Chapman argued that while companies may balk at the cost of sending individuals on such a course, the potential, albeit "intangible" costs of staff not knowing how to work in a secure manner could be crippling.

Staff have long been recognised as the weakest link in the security chain and Chapman said "there is an insurance element" to such training which high-risk companies, such as those in the financial services sector, would ignore at their peril.

Stuart Okin, a partner in Accenture's security practice, told silicon.com he believes such courses are certainly of value, although he couldn't comment on the specifics of the Training Camp offering which only launched today.

Okin said: "Training and awareness courses – for all staff – are definitely a necessary requirement now," adding that he believes companies should be able to weigh up the cost of not training staff properly against the risk of not doing so.

He said: "Companies are able to look at their cost risks. Companies can quantify the cost of lost data or intellectual property and the costs of not doing [effective training]."

However, Okin said companies that do adopt such an approach should do more to promote the positives rather than simply settling for mitigating potential adverse effects. He said enterprises which can demonstrate security qualifications across the business will have a compelling competitive advantage in their market, especially if their business involves the handling of sensitive third-party information.

Despite charging £950 per person for a two-day residential course, including accommodation, course materials and an examination, the Training Camp's Chapman said: "I don't think courses like this are expensive when you consider the downsides."

Chapman said the residential nature of the course and the exam element will ensure staff listen and absorb information which previously languished in an ignored paragraph or two in their company handbook.