Straight talk on security gets employees to listen -- and comply

The statistics are staggering: Last year, Symantec blocked more than 5.5 billion malware attacks, an 81% increase over 2010, and reported a 35% increase in Web-based attacks and a 41% increase in new malware variants. Those findings, documented in the company's latest annual "Internet Security Threat Report," might cause IT leaders to wonder if they're doing everything possible to protect their organizations.

And well they should. Security folks, in struggling to establish policies and procedures that are both effective and easy to implement, often forget a crucial step, experts say: communicating their security goals effectively, so that employees not only follow the security procedures but also understand the reason for having a security policy and embrace its goals.

"Compliance is necessary, but it's not sufficient," says Malcolm Harkins, vice president and chief information security officer at Intel. Harkins' goal is to get employees to go beyond compliance toward full commitment to protecting the company's information. "If they're committed to doing the right thing and protecting the company, and if they're provided with the right information, [then] they'll make reasonable risk decisions."

To be sure, employees don't play a role in every type of corporate security breach (see chart). But user behavior and noncompliance are implicated in many, including mobile malware attacks, social network schemes and advanced target attacks. In the face of such an onslaught, a wall poster of security tips hanging in the break room is useless, says Julie Peeler, foundation director at the International Information Systems Security Certification Consortium -- also known as (ISC) 2 -- a global, nonprofit organization that educates and certifies information security professionals.

Managers need to ensure that employees understand the security posture of the company from day one, Peeler says. Employees must be willing to sign confidentiality agreements, attend training and practice ongoing vigilance. "Security training is not a one-time event. It has to be integrated throughout the entire organization, and it has to come from the top," she says.

Here's a look at five best practices for making information security a corporatewide responsibility.

1. Put Threats Into Context

People don't internalize security best practices by simply being told what to do or by being scared into compliance, Peeler says. And Harkins agrees: "You don't want to spin information security compliance as fear," he says. "Fear is like junk food -- it can sustain you for a bit, but in the long run it's not healthy."

Top 10 Threat Actions Used in Enterprise Attacks

Source: Analysis of 855 confirmed organizational data breaches investigated in 2011 by Verizon RISK Team or one of its international forensic partners in its 2012 Data Breach Investigations Report. Totals exceed 100% because incidents often involve multiple threat events.

Instead, both experts say, employees are more likely to be motivated into compliance if security managers can put risk into a context that relates to them directly. Most employees know that a security breach affects not just data, but also the company's brand and reputation. But Harkins notes that employees in some business units might not fully understand that they could play a role in a breach just by doing what they consider business as usual.

A marketing team, for instance, might want to launch a new interactive website ahead if its competitors, he explains. The website's content might seem harmless if, for example, it doesn't include intellectual property -- just a few interactive screens and videos. But what if a third-party provider that helped develop the site left vulnerabilities that allow a hacker to implant malware in one of the links on the site? Explaining such risks ahead of time, and in a way that's specific to the department's line of business, helps ensure the group will do what's necessary to mitigate damage, Harkins says.

Real-world examples can also drive the message home. When a data breach makes the news, use it as a teaching tool -- in training classes, via email or through video presentations. Discuss the likelihood of a similar breach occurring in your organization. Ask: How would a breach like this have affected our company? What people or business units should remain extra vigilant against a similar attack? What security measures do you already have in place to protect against such an attack?

2. Go Phishing, Internally

Another effective technique is to launch simulated phishing scams. Then see how many employees take the bait, and offer advice on avoiding similar real-world scams.

Royal Philips Electronics recently launched a pilot program of controlled phishing attacks, says Nick Mankovich, chief information security officer. Working with a professional phishing partner, whom Mankovich declined to name, Philips simulates an email scam that tries to get employees to click a link to a website and then enter their password and username. When an employee clicks on the link, a message pops up explaining his error and offering tips to avoid being scammed in the future.

"It's not about embarrassing or surveilling anyone. It's really about giving material that means something at the moment when they click on the [phony] link," Mankovich says.

Depending on the exact nature of the attack, tips might include questions like: Did the email come from a trusted source? Was there something misspelled or unusual about the link? Did you remember to hover the mouse over the link and check the bottom of the screen to see if the actual target URL matched the one in the body of the message?

So far, Philips has conducted three phishing experiments involving 250 employees each; eventually, Mankovich hopes to test all of the company's 90,000 email-connected employees worldwide. Future tests will be stealthier and more intricate, he says.

"At the end of each pilot, we talk to a few of the users to see what they felt about the experience -- both those who fell for the phishing and those who did not," Mankovich says. "We [typically] have a very small percentage of people who did the bad behavior, and those people do get the message."

Saying 'Yes, but...'

Help the Business Do Its Job -- Securely

Insurance provider Endurance Specialty Holdings tries to establish policies that don't limit users from performing their jobs, says CIO Tom Terry. "There's generally a good reason why they're asking for a particular software, tool or device. We attempt to understand the problem they're trying to solve and give them tools to address their needs in a secure manner."

For instance, many business units needed USB devices to transfer data, but the IT organization knew that USB devices can be a major contributor to data loss if they're not managed properly. So the Endurance IT team said "yes, but..." by distributing the devices but also instituting -- and explaining -- a policy mandating that the devices had to be password-protected and encrypted.

"When the business sees you working with them in a collaborative fashion, then you can move the dial forward" in terms of a shared corporate response to security, says Terry.

- Stacy Collett

3. Protect to Enable

In light of the increasingly virulent cyberthreats out in the wild, IT leaders struggle to protect the organization while giving business units the freedom to choose their own apps, launch their own online initiatives and adopt new devices. But "the more drag you put on information flow, the slower the business velocity, which also creates strategic risk issues," Harkins says.

That's why Intel adopted the mantra "protect to enable" three years ago. Rather than focusing primarily on locking down assets, the information security group aims to enable business goals "while applying a reasonable level of protection," Harkins says. To do this, IT needs three things: an adequate level of understanding of the business side's situation and needs, input from both technical and business professionals on the risks and rewards of a given security decision, and a clear channel of communication among all levels and units of the business.

In 2009, Intel's IT department partnered with the company's legal and human resources groups to define security and usage policies for a new bring-your-own-device program. The company began allowing access to corporate email and calendars from employee-owned smartphones in January of 2010, Harkins says. The initiative has been successful in keeping corporate data safe while allowing employees to use their own devices for work. And as new devices come on board, the company continues to define new security and use policies.

4. Share Your Company's Hack History

Although controversial, sharing -- in confidence, of course -- the number and nature of attempted hacks on your company's systems can be a strong motivator toward security compliance, Peeler says. "People don't really understand how often a company's own systems are under attack," she points out.

Harkins agrees. Security leaders, he says, "have got to show data, and relate it to the business goals" and then they have to show how progress toward achieving those goals will be affected if ongoing incidents are not addressed. "The more your predictions start to come true," he adds, "[the more] you're demonstrating that you know what you're doing and that you're not trying to impede the business -- you're trying to help the business."

Intel has found ways to put breach data to good use without sharing too much confidential information. For instance, Harkins says, "we had an employee who stole intellectual property from us a few years ago and was convicted earlier this year. We posted to all employees the story of what happened, how we found out, and reminded everyone of the expectations we have of them."

Intel also posts its lost or stolen laptop rates and shares mistakes made by employees, such as posting information to a social site, and describes the risk that created for the company. "But we don't share who did it or other details that would embarrass or create issues for the employee," Harkins clarifies.

Others have mixed feelings about such tactics. Mankovich says sharing information about breaches "bears consideration," but he worries that any shared information could jump the fence to the outside world. "My first reaction is that, with 124,000 employees in 60 countries, we couldn't avoid it going public," Mankovich says. "We must consider the downside of providing the bad guys with attack intelligence. That in itself might increase risk."

Ultimately, convincing employees to remain vigilant is a job shared by both IT and the business. "We really have to understand how the workforce is changing, how are we changing the workforce, and how the expectations of people who use our products or partner with us are changing," Mankovich sums up. "The job is endless, but it's exciting."

Collett is a Computerworld contributing writer. You can contact her at stcollett@comcast.net.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

Read more about security in Computerworld's Security Topic Center.