Endpoint
9/20/2010
08:53 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Turn Workers Into Security Partners

Rather than just protect employees or protect against them, security managers should rely on users to help defend the business

When the "Here You Have" worm started spreading last week, Intel had only a small number of its computers infected.

The company's traditional defenses definitely helped, but a critical advantage was its well-trained employees, says Malcolm Harkins, Intel's chief information security officer. When workers saw the worm and recognized it as a threat, they immediately started calling the IT team.

"The employee base saw it, they reacted really quickly, and helped us contain it by alerting us to it and then telling others not to click on it," Harkins says.

With the ubiquity of mobile devices and the ability to do work anywhere, companies need to change their mindset toward their employees and treat them as security partners. Recent research has found that employees are increasingly bringing personal devices, such as smartphones, into work or using personal Web services, such as social networks, at work.

Attempting to block workers from accessing potentially dangerous technologies does not work, says Ted Schadler, a vice president and principal analyst at Forrester Research. In their new book, Empowered, Schadler and co-author Josh Bernoff argue that managers need to help employees use today's innovative technologies to help companies thrive.

"If you are too obstructive, workers will just do an end-run around you," says Schadler.

Many companies have treated workers as a flock to protect or as wolves to protect against, not as the shepherds they could be. For security managers, that means teaching employees not just how to avoid threats, but to help protect the company against them.

"We rethought our security strategy and, you know what, people are the new perimeter," Intel's Harkins says. "So if you embrace that part of that perimeter, I think your monitoring and detection increases dramatically, which then gives you a much better response time to mitigate exposures."

While companies should continue to deploy data protection technology and monitor logs to detect potential data leaks, recruiting employees through training can provide a contingent of additional security help, he says.

Moreover, the security team itself can use innovative technologies to help its mission. For example, Intel's security teams use occasional "Web jams" internally -- collaborative sessions with team members and employees to build awareness for security and corporate policies. The social networking helps the security team connect more closely with employees, Harkins says.

"People want to have debate and discussion," he says. "We see it as a channel to leverage to get people to understand this risk issues."

Finally, allow employees to make mistakes and own up to them, Harkins and Schadler say. Taking responsibility is part of empowering the employee to help security, rather than hindering it.

"Mistakes sometimes happen," Harkins says. "Don't overreact to mistakes. Use it as a learning experience for the employee, and it can be a learning experience for the security people as well."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web