Turn Workers Into Security PartnersRather than just protect employees or protect against them, security managers should rely on users to help defend the business
When the "Here You Have" worm started spreading last week, Intel had only a small number of its computers infected.
The company's traditional defenses definitely helped, but a critical advantage was its well-trained employees, says Malcolm Harkins, Intel's chief information security officer. When workers saw the worm and recognized it as a threat, they immediately started calling the IT team.
"The employee base saw it, they reacted really quickly, and helped us contain it by alerting us to it and then telling others not to click on it," Harkins says.
With the ubiquity of mobile devices and the ability to do work anywhere, companies need to change their mindset toward their employees and treat them as security partners. Recent research has found that employees are increasingly bringing personal devices, such as smartphones, into work or using personal Web services, such as social networks, at work.
Attempting to block workers from accessing potentially dangerous technologies does not work, says Ted Schadler, a vice president and principal analyst at Forrester Research. In their new book, Empowered, Schadler and co-author Josh Bernoff argue that managers need to help employees use today's innovative technologies to help companies thrive.
"If you are too obstructive, workers will just do an end-run around you," says Schadler.
Many companies have treated workers as a flock to protect or as wolves to protect against, not as the shepherds they could be. For security managers, that means teaching employees not just how to avoid threats, but to help protect the company against them.
"We rethought our security strategy and, you know what, people are the new perimeter," Intel's Harkins says. "So if you embrace that part of that perimeter, I think your monitoring and detection increases dramatically, which then gives you a much better response time to mitigate exposures."
While companies should continue to deploy data protection technology and monitor logs to detect potential data leaks, recruiting employees through training can provide a contingent of additional security help, he says.
Moreover, the security team itself can use innovative technologies to help its mission. For example, Intel's security teams use occasional "Web jams" internally -- collaborative sessions with team members and employees to build awareness for security and corporate policies. The social networking helps the security team connect more closely with employees, Harkins says.
"People want to have debate and discussion," he says. "We see it as a channel to leverage to get people to understand this risk issues."
Finally, allow employees to make mistakes and own up to them, Harkins and Schadler say. Taking responsibility is part of empowering the employee to help security, rather than hindering it.
"Mistakes sometimes happen," Harkins says. "Don't overreact to mistakes. Use it as a learning experience for the employee, and it can be a learning experience for the security people as well."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.