How to talk security so people will listen (and comply!)
So far, three phishing experiments involving 250 employees each have been conducted; eventually, Mankovich hopes to test the security smarts of all 90,000 email-connected Philips employees worldwide.
"At the end of each pilot we talk to a few of the users to see what they felt about the experience -- both those who fell for the phishing and those who did not," Mankovich says. "We [typically] have a very small percentage of people who did the bad behavior, and those people do get the message."
As for more simulated attacks, "We've decided we're going to run it forever. Those personal hooks do very well" -- though future phishing tests will be stealthier and increasingly intricate, he says.
Protect to enable
In light of the increasingly virulent cyber-threats out in the wild, IT leaders struggle between giving business units the freedom to choose their own apps, launch their own online initiatives and adopt new devices, and putting the brakes on.
But it is possible to strike a balance between the two, Harkins says. Intel adopted its "protect to enable" mantra three years ago. Rather than focusing primarily on locking down assets, the mission of the information security group has shifted to enable business goals "while applying a reasonable level of protection," Harkins says. "The more drag you put on information flow, the slower the business velocity, which also creates strategic risk issues," Harkins explains.
To enable business goals while still effectively communicating its security policies, IT needs three things, Harkins says: an adequate level of acumen as to the business side's situation and needs; input from both technical and business units on the risks versus rewards of a given security decision; and a clear channel of communication among all levels and units of the business.
Intel's BYOD plan is one product of its "protect to enable" policy. As early as 2009, Intel took a new approach that supports personal devices in the enterprise. "I challenged my team to work with Intel legal and human resources groups to define security and usage policies. This enabled us to begin allowing access to corporate email and calendars from employee-owned smartphones in January of 2010," Harkins says.
The initiative has been highly successful in allowing users to adapt their mobile devices to the workplace while keeping corporate data safe, and Intel continues to define new security and use policies as new devices come onboard.
Insurance provider Endurance Specialty Holdings Ltd. in New York tries to establish policies that don't limit the users from performing their jobs, says CIO Tom Terry. "There's generally a good reason why they're asking for a particular software, tool or device. We attempt to understand the problem they're trying to solve and give them tools to address their needs in a secure manner."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts