How to talk security so people will listen (and comply!)
So far, three phishing experiments involving 250 employees each have been conducted; eventually, Mankovich hopes to test the security smarts of all 90,000 email-connected Philips employees worldwide.
"At the end of each pilot we talk to a few of the users to see what they felt about the experience -- both those who fell for the phishing and those who did not," Mankovich says. "We [typically] have a very small percentage of people who did the bad behavior, and those people do get the message."
As for more simulated attacks, "We've decided we're going to run it forever. Those personal hooks do very well" -- though future phishing tests will be stealthier and increasingly intricate, he says.
Protect to enable
In light of the increasingly virulent cyber-threats out in the wild, IT leaders struggle between giving business units the freedom to choose their own apps, launch their own online initiatives and adopt new devices, and putting the brakes on.
But it is possible to strike a balance between the two, Harkins says. Intel adopted its "protect to enable" mantra three years ago. Rather than focusing primarily on locking down assets, the mission of the information security group has shifted to enable business goals "while applying a reasonable level of protection," Harkins says. "The more drag you put on information flow, the slower the business velocity, which also creates strategic risk issues," Harkins explains.
To enable business goals while still effectively communicating its security policies, IT needs three things, Harkins says: an adequate level of acumen as to the business side's situation and needs; input from both technical and business units on the risks versus rewards of a given security decision; and a clear channel of communication among all levels and units of the business.
Intel's BYOD plan is one product of its "protect to enable" policy. As early as 2009, Intel took a new approach that supports personal devices in the enterprise. "I challenged my team to work with Intel legal and human resources groups to define security and usage policies. This enabled us to begin allowing access to corporate email and calendars from employee-owned smartphones in January of 2010," Harkins says.
The initiative has been highly successful in allowing users to adapt their mobile devices to the workplace while keeping corporate data safe, and Intel continues to define new security and use policies as new devices come onboard.
Insurance provider Endurance Specialty Holdings Ltd. in New York tries to establish policies that don't limit the users from performing their jobs, says CIO Tom Terry. "There's generally a good reason why they're asking for a particular software, tool or device. We attempt to understand the problem they're trying to solve and give them tools to address their needs in a secure manner."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts