Informed CIO: Endpoint Security
Get Users to Care About Security
Your employees are a critical part of your security program, particularly when it comes to the endpoint. Whether it’s a PC, smartphone or tablet, your end users are on the front lines of phishing attempts and malware attacks. The more they understand—and care—about how their computing behavior affects the company’s security posture, the better off the company will be. Of course, it’s easy to say, “Get end users involved in security.” It’s hard to make it happen. This report offers practical guidance on how to engage employees in ways that can result in meaningful changes to their security-related attitudes and behaviors.
First and foremost, security engagement must be driven by the executives—all the executives—not just the CIO or front-line IT staff. If the CEO and business leaders demonstrate the need to take security seriously, employees follow suit. If executives aren’t ready to get on board, try a wake-up call in the form of a phishing test. Run a simulated phishing attack against your organization and track the number of employees who fall for it. You may be surprised (and dismayed) to see just how vulnerable your organization is.
Next, get employees’ buy-in. The best way is to appeal to their self-interest; the security behaviors and information you provide at work can also be used at home, helping people safeguard themselves and their families from financial fraud, data loss and online predation. Other ways to get employees on board is through direct communication from IT and business leaders. Real-time, in-person interaction sends a powerful message that this subject is important. IT’s credibility also goes a long way to getting your message across. If your IT shop isn’t regarded as a trusted technology partner, you have some ground to make up first.
Table of Contents
3 Author’s Bio
4 Executive Summary
5 The Human Condition
6 Rogue Elements
7 Phish Test
8 Get Users to Care
9 Five-Step Program
11 Related Reports
5 Figure 1: Security Policy Decision Makers
6 Figure 2: Increase in Employee-Owned Mobile Devices
8 Figure 3: Number of Authentication Factors
9 Figure 4: Data Loss Disclosure
About the Author
Jonathan Feldman serves as director of information technology services for a city in North Carolina. The city has won several technology innovation awards during his tenure, including the International Economic Development Council New Media Award. He has also directed professional services in the private sector, providing security and network infrastructure services to the military, healthcare, financial services and law enforcement markets.
Jonathan has worked for 20 years in the fields of IT security, reliability and human resources management, and has written, taught and consulted extensively on these topics, notably as co-author of Maximum Security and author of Teach Yourself Network Troubleshooting. His writing, which readers call “funny and easy to read,” has been translated into many different languages. As an award-winning Network Computing and InformationWeek contributing editor, he has worked with dozens of public- and private-sector organizations to document real business benefits, risks and appropriate governance of new technologies and surrounding practices and procedures.
A speaker at regional and national venues, including Interop, PC Expo, CNet Radio, The Institute of Internal Auditors and for the United States Army, Jonathan has been active in the community with organizations such as Infragard and GMIS International. He holds an MS degree from Georgia Tech.
Write to him at jf@feldman.org.
Be the first one to comment.