08:53 PM
Connect Directly

Turn Workers Into Security Partners

Rather than just protect employees or protect against them, security managers should rely on users to help defend the business

When the "Here You Have" worm started spreading last week, Intel had only a small number of its computers infected.

The company's traditional defenses definitely helped, but a critical advantage was its well-trained employees, says Malcolm Harkins, Intel's chief information security officer. When workers saw the worm and recognized it as a threat, they immediately started calling the IT team.

"The employee base saw it, they reacted really quickly, and helped us contain it by alerting us to it and then telling others not to click on it," Harkins says.

With the ubiquity of mobile devices and the ability to do work anywhere, companies need to change their mindset toward their employees and treat them as security partners. Recent research has found that employees are increasingly bringing personal devices, such as smartphones, into work or using personal Web services, such as social networks, at work.

Attempting to block workers from accessing potentially dangerous technologies does not work, says Ted Schadler, a vice president and principal analyst at Forrester Research. In their new book, Empowered, Schadler and co-author Josh Bernoff argue that managers need to help employees use today's innovative technologies to help companies thrive.

"If you are too obstructive, workers will just do an end-run around you," says Schadler.

Many companies have treated workers as a flock to protect or as wolves to protect against, not as the shepherds they could be. For security managers, that means teaching employees not just how to avoid threats, but to help protect the company against them.

"We rethought our security strategy and, you know what, people are the new perimeter," Intel's Harkins says. "So if you embrace that part of that perimeter, I think your monitoring and detection increases dramatically, which then gives you a much better response time to mitigate exposures."

While companies should continue to deploy data protection technology and monitor logs to detect potential data leaks, recruiting employees through training can provide a contingent of additional security help, he says.

Moreover, the security team itself can use innovative technologies to help its mission. For example, Intel's security teams use occasional "Web jams" internally -- collaborative sessions with team members and employees to build awareness for security and corporate policies. The social networking helps the security team connect more closely with employees, Harkins says.

"People want to have debate and discussion," he says. "We see it as a channel to leverage to get people to understand this risk issues."

Finally, allow employees to make mistakes and own up to them, Harkins and Schadler say. Taking responsibility is part of empowering the employee to help security, rather than hindering it.

"Mistakes sometimes happen," Harkins says. "Don't overreact to mistakes. Use it as a learning experience for the employee, and it can be a learning experience for the security people as well."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.