Feeding an enterprise-wide security mindset

Social engineering isn't a new concept - hackers for years have obtained confidential information by manipulating legitimate users into revealing it. But the rash of high-profile data thefts has put a big spotlight on what can happen when people give out sensitive corporate data without first verifying the recipient's identity and access privileges.

To help shore up the "human aspect" of an enterprise's security systems, Al Decker and Rebecca Whitener of the security and privacy services division at EDS have created a Top 10 list of how to create a culture of security in a company (see below).

I talked to Decker, executive director of security and privacy services at EDS, about the need for companies to balance security technology investments with employee training and provisions for policy enforcement. Those efforts need to encompass all employees - including those working in corporate offices, road warriors and home-based personnel.

When implementing security measures, many companies focus on the technology behind the processes but forget the people, Decker says. Yet if people don't have an understanding of a company's security policies and procedures, the systems won't stand up to threats.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Social engineering isn't a new concept - hackers for years have obtained confidential information by manipulating legitimate users into revealing it. But the rash of high-profile data thefts has put a big spotlight on what can happen when people give out sensitive corporate data without first verifying the recipient's identity and access privileges.

To help shore up the "human aspect" of an enterprise's security systems, Al Decker and Rebecca Whitener of the security and privacy services division at EDS have created a Top 10 list of how to create a culture of security in a company (see below).

I talked to Decker, executive director of security and privacy services at EDS, about the need for companies to balance security technology investments with employee training and provisions for policy enforcement. Those efforts need to encompass all employees - including those working in corporate offices, road warriors and home-based personnel.

When implementing security measures, many companies focus on the technology behind the processes but forget the people, Decker says. Yet if people don't have an understanding of a company's security policies and procedures, the systems won't stand up to threats.

"From my perspective, culture is by far the most significant portion of security," Decker says. "Security is about 20% technology, 80% the mindset of people using the technology."

It's critical that companies convey to their employees - local and remote - why security measures are important. Otherwise employees may view security measures simply as obstacles to getting their work done and try to circumvent those obstacles, he says. "Some employees see security as one more task they have to do to get the information they need, rather than something helping protect the value of the company."

In general, the natural tendency for IT staff is to look for a technology fix to a security issue. There's not enough focus on culture, he says.

It's a missed opportunity. If IT teams have the support of end users as they deploy new security technologies, implementations may run more smoothly than if IT is trying to deploy something to an unreceptive or unconcerned audience, Decker says.

One way to begin fostering a culture of security is to create an information protection group that brings together people from multiple departments and locations. Having a multidisciplinary team at the helm can help ensure that security policies and procedures are balanced - not too lax, not too onerous for employees to follow, Decker says.

On the training front, there was a tendency in the past to overlook teleworkers in desk-centric corporate initiatives such as these. But the good news is, Decker sees that happening a lot less these days. "There's a clear recognition today that more and more employees are telecommuters or part of a mobile workforce," he says.

There are a slew of technologies aimed at securing remote access, and companies are getting savvy about bringing off-site employees into security training and awareness initiatives, he says.