Straight talk on security gets employees to listen -- and comply

From phishing your own employees to sharing your company's hack history, these techniques can help you get -- and keep -- users' attention about security.

1 2 3 Page 3
Page 3 of 3

3. Protect to Enable

In light of the increasingly virulent cyberthreats out in the wild, IT leaders struggle to protect the organization while giving business units the freedom to choose their own apps, launch their own online initiatives and adopt new devices. But "the more drag you put on information flow, the slower the business velocity, which also creates strategic risk issues," Harkins says.

That's why Intel adopted the mantra "protect to enable" three years ago. Rather than focusing primarily on locking down assets, the information security group aims to enable business goals "while applying a reasonable level of protection," Harkins says. To do this, IT needs three things: an adequate level of understanding of the business side's situation and needs, input from both technical and business professionals on the risks and rewards of a given security decision, and a clear channel of communication among all levels and units of the business.

In 2009, Intel's IT department partnered with the company's legal and human resources groups to define security and usage policies for a new bring-your-own-device program. The company began allowing access to corporate email and calendars from employee-owned smartphones in January of 2010, Harkins says. The initiative has been successful in keeping corporate data safe while allowing employees to use their own devices for work. And as new devices come on board, the company continues to define new security and use policies.

4. Share Your Company's Hack History

Although controversial, sharing -- in confidence, of course -- the number and nature of attempted hacks on your company's systems can be a strong motivator toward security compliance, Peeler says. "People don't really understand how often a company's own systems are under attack," she points out.

Harkins agrees. Security leaders, he says, "have got to show data, and relate it to the business goals" and then they have to show how progress toward achieving those goals will be affected if ongoing incidents are not addressed. "The more your predictions start to come true," he adds, "[the more] you're demonstrating that you know what you're doing and that you're not trying to impede the business -- you're trying to help the business."

Intel has found ways to put breach data to good use without sharing too much confidential information. For instance, Harkins says, "we had an employee who stole intellectual property from us a few years ago and was convicted earlier this year. We posted to all employees the story of what happened, how we found out, and reminded everyone of the expectations we have of them."

Intel also posts its lost or stolen laptop rates and shares mistakes made by employees, such as posting information to a social site, and describes the risk that created for the company. "But we don't share who did it or other details that would embarrass or create issues for the employee," Harkins clarifies.

Others have mixed feelings about such tactics. Mankovich says sharing information about breaches "bears consideration," but he worries that any shared information could jump the fence to the outside world. "My first reaction is that, with 124,000 employees in 60 countries, we couldn't avoid it going public," Mankovich says. "We must consider the downside of providing the bad guys with attack intelligence. That in itself might increase risk."

Ultimately, convincing employees to remain vigilant is a job shared by both IT and the business. "We really have to understand how the workforce is changing, how are we changing the workforce, and how the expectations of people who use our products or partner with us are changing," Mankovich sums up. "The job is endless, but it's exciting."

Collett is a Computerworld contributing writer. You can contact her at stcollett@comcast.net.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

Copyright © 2013 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
  
Shop Tech Products at Amazon