So far, Philips has conducted three phishing experiments involving 250 employees each; eventually, Mankovich hopes to test all of the company's 90,000 email-connected employees worldwide. Future tests will be stealthier and more intricate, he says.
"At the end of each pilot, we talk to a few of the users to see what they felt about the experience -- both those who fell for the phishing and those who did not," Mankovich says. "We [typically] have a very small percentage of people who did the bad behavior, and those people do get the message."
Saying 'Yes, but...'
Help the Business Do Its Job -- Securely
Insurance provider Endurance Specialty Holdings tries to establish policies that don't limit users from performing their jobs, says CIO Tom Terry. "There's generally a good reason why they're asking for a particular software, tool or device. We attempt to understand the problem they're trying to solve and give them tools to address their needs in a secure manner."
For instance, many business units needed USB devices to transfer data, but the IT organization knew that USB devices can be a major contributor to data loss if they're not managed properly. So the Endurance IT team said "yes, but..." by distributing the devices but also instituting -- and explaining -- a policy mandating that the devices had to be password-protected and encrypted.
"When the business sees you working with them in a collaborative fashion, then you can move the dial forward" in terms of a shared corporate response to security, says Terry.
3. Protect to Enable
In light of the increasingly virulent cyberthreats out in the wild, IT leaders struggle to protect the organization while giving business units the freedom to choose their own apps, launch their own online initiatives and adopt new devices. But "the more drag you put on information flow, the slower the business velocity, which also creates strategic risk issues," Harkins says.
That's why Intel adopted the mantra "protect to enable" three years ago. Rather than focusing primarily on locking down assets, the information security group aims to enable business goals "while applying a reasonable level of protection," Harkins says. To do this, IT needs three things: an adequate level of understanding of the business side's situation and needs, input from both technical and business professionals on the risks and rewards of a given security decision, and a clear channel of communication among all levels and units of the business.
In 2009, Intel's IT department partnered with the company's legal and human resources groups to define security and usage policies for a new bring-your-own-device program. The company began allowing access to corporate email and calendars from employee-owned smartphones in January of 2010, Harkins says. The initiative has been successful in keeping corporate data safe while allowing employees to use their own devices for work. And as new devices come on board, the company continues to define new security and use policies.
Sign up for Computerworld eNewsletters.