Archive for the ‘Awareness’ category

More Thoughts on Blocking Access to Social Networking Sites

August 5, 2010

A few days ago we discussed some of the early findings from our recent survey on social media behavior among end users (part of our end-user awareness service).  Expanding on that insight, we note that companies that are blocking access to social media are not seeing less employee usage of social media sites like Facebook. The usage still takes place, the usage is just as likely to concern workplace issues, and the usage is just as likely to take place during work hours—users either get around technical blockades, or they use their mobile devices.

What’s a CISO to do?

While accessing social media sites through the corporate infrastructure brings some risks around malware and the like, these are not that different in kind or in magnitude than general internet access. The main social media risks—data leakage and reputation damage—remain pretty much unchanged however they are accessed. IREC believes that—regulations permitting—organizations should open up social media access. The harm is low, and the benefits are large:

  • First, you help shed Security’s image as the function that says “No.”
  • Second, you will enhance collaborative opportunities in your organization.
  • Third, and most interesting from Security’s point of view, you can monitor the traffic to the social networking sites.  This allows you to monitor for outgoing data, understand how users are using these sites, and identify individuals or groups of users for targeted social media awareness efforts. Why drive usage underground where you can’t do this?

For those who are reconsidering their social media access policy, here are some data we have collected on this topic. We have been asking our members about their social media access posture for more than two years now, sometimes in slightly different ways and across different venues. In all we have about 15 data sets, with an average N of about 20.  We narrowed down the responses to three categories: those who pretty much allow everything, those who pretty much block everything except for one-off exceptions for business purposes, and those in the middle who allow access for most users, but have significant limitations or focused technical controls in place. The data are a bit noisy, but we think the trend over the last year towards allowing at least controlled access is pretty clear.

Percentage of companies blocking social media site access

Click for larger

IREC members may explore further with these resources:

Note: to find our complete collection of data sets like these covering all security topics, visit our Peer Polling Results Browser.

To learn more about our research in the social media space, attend our upcoming webinar Measuring End-User Social Media Behavior to Inform Policy Decisions on August 19. In addition we will discuss the social media results in more detail during the ongoing Annual Executive Retreat series.


Protecting social media risks

August 2, 2010

Our recently conducted survey on social media policy and usage shows that of the over 17,000 end users surveyed at Fortune 500 companies, nearly 70% are using social media. Of these total end users we found:

  • 35% percent are accessing the social media on their mobile device, regardless of whether social media sites are blocked by the company
  • 15% are engaging in risky activities that are primarily work related such posting company or client information on consumer collaboration sites like Google docs
  • Usage of social media for these high risk activities is higher in the non-management and middle management ranks
  • Perception of social media risk is different from traditional end user IT risks like leaving laptop unsecured or sharing password

So what are the implications of these findings for the CISOs inundated with social media requests and looking for ways to mitigate social media risk?

Implication #1: Given a third of end users access social media through personal mobile devices at work, traditional blocking approaches will not work.

Implication #2: End user awareness is a key tool to manage end user risk and it should be specially targeted on end users using social media at work.

Implication #3: Unlike traditional IT risk awareness where senior management is usually least aware, social media training should focus on rank and file.

Implication #4: Finally, given that end users sometimes use the same social media space for both and personal work related activities; training needs to be more nuanced, and focus on both professional and personal usage of social media.

Members can learn more about our research in the social media space at our webinar Measuring End-User Social Media Behavior to Inform Policy Decisions on August 19. In addition we will discuss the social media results in more detail during the ongoing Annual Executive Retreat series.

Where are the sessions on awareness at the RSA conference?

March 3, 2010

I’m attending the RSA conference in San Francisco this week.  We at IREC think a lot about the value of end-user awareness, and we argued recently that most security organizations should increase their awareness budget.  As I looked through the program for the RSA conference, I noticed there were not very many sessions that addressed awareness or the end-user.  In fact, even when you count sessions on social engineering, only 2% (5 of 242) of the sessions this year address the end-user!

Pretty poor representation for such an important topic.

However, it does correspond well to the 2% of our budgets we spend on awareness.

Click for larger

One More Prediction for 2010, But Are We Going to Heed It?

December 28, 2009

In our last post we gathered together the pundits’ predictions for 2010, but perhaps predictably (sorry), they seem to be more about a focus on surprise and novelty than actual risk-based predictions. In fact, few of these pundits even mention what is probably the greatest risk of 2010.  Even worse, even those who know what that risk is are not acting strongly enough to manage it. (more…)

IREC in Wall Street Journal article about email monitoring

December 1, 2009

Quoted as “The Corporate Executive Board”, we supplied some commentary and data for an article in the European edition of the Wall Street Journal.  The article is not available online, but it appeared on page 31 of the November 24 issue. (It is similar to the article “Some Courts Raise Bar on Reading Employee Email” from the US edition, but focuses on EU/UK issues.) We’d like to take advantage of the extra space available here to clarify our main points and provide additional data to those cited in the article.


Happy National Cybersecurity Awareness Month!!

October 2, 2009

October is National Cybersecurity Awareness Month in the US (read the full White House press release here)

Excerpting from the press release, President Obama says : “I call upon the people of the United States to recognize the importance of cybersecurity and to observe this month with appropriate activities, events, and trainings to enhance our national security and resilience.”

Looks like CISOs are jumping on the bandwagon too by leveraging the press/buzz this receives to drive security awareness at their respective organizations. From a recent thread in one of IREC’s discussion forums, we heard a variety of events CISOs are planning at their companies:
– Declaring a “Cybersecurity Day’ in October featuring an external expert speaker
– Interviews with company leaders on importance of cyber/information security that will be broadcast globally
– Tentcards in cafeterias and Cybersecurity awareness bookmarks
– Encouraging employees to complete the online security training module in October

In the age of information overload and flat budgets (the average company spends 2% of its security budget on employee awareness and training), it is very hard to get employees’ attention to matters such as secure behavior. I’m glad that the US Government drawing attention to this matter will provide a much-needed ‘hook’ for CISOs to draw attention to security in their companies.

Handy Resources for Responding to WSJ-Inspired Questions

September 23, 2009

Fortunately the three articles in today’s WSJ on IT Security are a lot less troublesome than those of two years ago. Nevertheless, it is a good idea to be ready to respond to questions coming out of the articles from senior executives and managers in your organization. The elevator pitch is probably,

Yes, we are well aware of these threats and have protections in place against them. I am concerned about <Vulnerability X> and I’d like to implement <Security Investment Y> to address that and reduce the risk of <Business Impact>. Can we talk about that next week?

With that in mind, here are some facts and resources that will be helpful to have handy. The articles have titles that address sources of threats, but go on to address a wide variety of related risks.  I’ll try to organize this post a little more consistently rather than respond to each article point by point. (more…)