How to talk security so people will listen (and comply!)
So far, three phishing experiments involving 250 employees each have been conducted; eventually, Mankovich hopes to test the security smarts of all 90,000 email-connected Philips employees worldwide.
"At the end of each pilot we talk to a few of the users to see what they felt about the experience -- both those who fell for the phishing and those who did not," Mankovich says. "We [typically] have a very small percentage of people who did the bad behavior, and those people do get the message."
As for more simulated attacks, "We've decided we're going to run it forever. Those personal hooks do very well" -- though future phishing tests will be stealthier and increasingly intricate, he says.
Protect to enable
In light of the increasingly virulent cyber-threats out in the wild, IT leaders struggle between giving business units the freedom to choose their own apps, launch their own online initiatives and adopt new devices, and putting the brakes on.
But it is possible to strike a balance between the two, Harkins says. Intel adopted its "protect to enable" mantra three years ago. Rather than focusing primarily on locking down assets, the mission of the information security group has shifted to enable business goals "while applying a reasonable level of protection," Harkins says. "The more drag you put on information flow, the slower the business velocity, which also creates strategic risk issues," Harkins explains.
To enable business goals while still effectively communicating its security policies, IT needs three things, Harkins says: an adequate level of acumen as to the business side's situation and needs; input from both technical and business units on the risks versus rewards of a given security decision; and a clear channel of communication among all levels and units of the business.
Intel's BYOD plan is one product of its "protect to enable" policy. As early as 2009, Intel took a new approach that supports personal devices in the enterprise. "I challenged my team to work with Intel legal and human resources groups to define security and usage policies. This enabled us to begin allowing access to corporate email and calendars from employee-owned smartphones in January of 2010," Harkins says.
The initiative has been highly successful in allowing users to adapt their mobile devices to the workplace while keeping corporate data safe, and Intel continues to define new security and use policies as new devices come onboard.
Insurance provider Endurance Specialty Holdings Ltd. in New York tries to establish policies that don't limit the users from performing their jobs, says CIO Tom Terry. "There's generally a good reason why they're asking for a particular software, tool or device. We attempt to understand the problem they're trying to solve and give them tools to address their needs in a secure manner."
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!