- Congress ignores blocking Web sites and social networks
- Microsoft keeps 'Windows 7' name for next client OS
- Market surges, Gates predicts 9% unemployment
- Microsoft reveals critical holes in Active Directory
- Microsoft lays out SQL Server improvements
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
Social engineering isn't a new concept - hackers for years have obtained confidential information by manipulating legitimate users into revealing it. But the rash of high-profile data thefts has put a big spotlight on what can happen when people give out sensitive corporate data without first verifying the recipient's identity and access privileges.
To help shore up the "human aspect" of an enterprise's security systems, Al Decker and Rebecca Whitener of the security and privacy services division at EDS have created a Top 10 list of how to create a culture of security in a company (see below).
I talked to Decker, executive director of security and privacy services at EDS, about the need for companies to balance security technology investments with employee training and provisions for policy enforcement. Those efforts need to encompass all employees - including those working in corporate offices, road warriors and home-based personnel.
When implementing security measures, many companies focus on the technology behind the processes but forget the people, Decker says. Yet if people don't have an understanding of a company's security policies and procedures, the systems won't stand up to threats.
"From my perspective, culture is by far the most significant portion of security," Decker says. "Security is about 20% technology, 80% the mindset of people using the technology."
It's critical that companies convey to their employees - local and remote - why security measures are important. Otherwise employees may view security measures simply as obstacles to getting their work done and try to circumvent those obstacles, he says. "Some employees see security as one more task they have to do to get the information they need, rather than something helping protect the value of the company."
In general, the natural tendency for IT staff is to look for a technology fix to a security issue. There's not enough focus on culture, he says.
It's a missed opportunity. If IT teams have the support of end users as they deploy new security technologies, implementations may run more smoothly than if IT is trying to deploy something to an unreceptive or unconcerned audience, Decker says.
One way to begin fostering a culture of security is to create an information protection group that brings together people from multiple departments and locations. Having a multidisciplinary team at the helm can help ensure that security policies and procedures are balanced - not too lax, not too onerous for employees to follow, Decker says.
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment