I just returned from a Gartner peer-connect event where some 65 CISOs shared experiences, concerns and visions for a more secure future.
There were many substantive discussions but one that stood out was a case study presented by a CISO from a large Midwest energy firm who implemented some simple people-centric and whitelisting security steps that reduced his incidents by almost 80%.
People are the main attack vector, and by tightening up their vulnerability to spear-phishing, exploits, and other attacks, the company would be much more secure. Major program steps included; establishing a ‘fun’ teambuilding security awareness program, standardizing on a Chrome browser, creating an Internet café at work where staff can engage in personal browsing in a secure network segment, and a white list of applications and allowable website traffic which was developed over time.
Here are the specific steps the firm took:
- Governance: Established a cross-functional group of business leaders that met regularly, focused on security education and then began to deploy tools
- Early Roll out: Discovered that in 2014, of the 400 plus security incidents at the firm, almost 90% were triggered by employees’ personal use of the Internet.
- In 2014, the CISO took these straightforward measures:
- Standardized on a Chrome browser, and eliminated use of legacy IE required by enterprise applications.
- Deployed application whitelisting to eliminate application sprawl and coached employees to approve business required applications
- Implemented a security awareness program that was ‘fun’ to partake in.
- Program Results – in 2015 the firm had more than a 60% reduction in security incidents at a time when attempted attacks were increasing.
- Internet Café for personal browsing: the firm set up a Internet café on a separate network segment where employees could engage in personal browsing from their own personal devices. Personal browsing from other corporate network segments on corporate devices was ‘softly’ discouraged and disallowed
- Internet Whitelisting: all corporate traffic was proxied through a whitelist. A process was set up to expand the whitelist based on information security review of business justification – the whitelist grew quickly from about a thousand sites to about 12,000 but then began leveling off 6 months after it was introduced.
- Program Results: In 2016, security incidents at the firm dropped about 40%
By implementing these straightforward people-centric security measures, the firm dropped their security incidents from over 400 in 2014 to just under 100 in 2016, representing about an 80% reduction in events.
We spend so much time chasing the latest technology and promising new shiny solutions, while neglecting our most vulnerable attack vector – people.
This energy firm proved that by implementing people-centric security and whitelisting, the attack surface is dramatically reduced. And now, the firm can concentrate on the smaller population of leftover security events – by applying more people-centric measures and a good mix of layered security technologies. I think we should all follow this sound approach.
Read Complimentary Relevant Research
Predicts 2017: Artificial Intelligence
Artificial intelligence is changing the way in which organizations innovate and communicate their processes, products and services. Practical...
View Relevant Webinars
The Education CIO Challenge: IT Is a Team Sport
This video will outline key Education CIO challenges and recommendations based on business and technology trends in education as well...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.