Enterprises should reward their end-users for reporting suspicious emails; notify their boss that they are active in protecting the company. It's good for positive reinforcement and morale. "Each month take the list of people who reported suspicious email and randomly select one or more for a $100 gift certificate," says Owen, who avoided $20 million in costs in the development of the Shuttle Systems security program for Mission Operations at Johnson Space Center, NASA.
Owen's most effective reinforcements to achieve higher security IQs over time include: give a $100 gift certificate immediately to an employee who reports a significant security issue; take no action when an employee opens an infected link or document but reports it immediately; and, include following security standards and procedures in everyone's job description.
Use What You Have
Enterprises should exercise their creative muscle to squeeze everything they can out of security measures and incumbent opportunities for reinforcing employee security consciousness. For example, while enterprises can use Data Loss Prevention (DLP) technology to simply monitor and block attempts to funnel data out of the organization, they are missing out on a great opportunity if that's all they do with it.
"I used DLP to monitor outgoing email, looking for unencrypted PII. The business monitored these events and flagged the ones we needed to closely examine. If an employee sent something they shouldn't have, we had a conversation with them and used it as a teaching opportunity, not as a means to get someone into trouble," says Michael Eisenberg, Global CISO emeritus, AON Plc.
"We clarified with the employee whether they should have sent the information in an encrypted form and ensured they were aware of circumstances that require encryption. Employees were genuinely concerned during these discussions, which achieved strong behavior modification," says Eisenberg.
AON Plc used DLP first to detect the number of instances of employees attempting to send unencrypted PII (Social Security numbers, for example) out of the enterprise. As the subsequent interventions and conversations lead to fewer instances, the company was able to gauge its progress and fine tune the conversations for increasing effectiveness. This was literally a definable metric for the state of security behavior and its decline or improvement.
"Anyone can simply start blocking emails and never let employees know that they blocked their communications. The maturity play is to use DLP to understand the risks and address them with employees in the environment in order to make a difference," says Eisenberg; "if you don't use DLP to teach people what you expect then you are doing them and yourselves a disservice."
Sim Tools Rule
Enterprises should use tools that educate about specific, high-risk employee behavior. Opening phishing emails is one of the most high-risk employee behaviors. There is a tool called PhishMe, which enables an enterprise to send a harmless phishing email to employees to determine what is the end-user susceptibility to this kind of trap. (Similar threat simulation tools include ThreatSim and tools from Wombat Security Technologies including PhishGuru, SmishGuru, and USBGuru.)
Sign up for Computerworld eNewsletters.