Gartner Blog Network


Simple People Centric Security Actually Works at Large Midwest Energy firm

by Avivah Litan  |  December 7, 2016  |  2 Comments

I just returned from a Gartner peer-connect event where some 65 CISOs shared experiences, concerns and visions for a more secure future.

There were many substantive discussions but one that stood out was a case study presented by a CISO from a large Midwest energy firm who implemented some simple people-centric and whitelisting security steps that reduced his incidents by almost 80%.

People are the main attack vector, and by tightening up their vulnerability to spear-phishing, exploits, and other attacks, the company would be much more secure.  Major program steps included; establishing a ‘fun’ teambuilding security awareness program, standardizing on a Chrome browser, creating an Internet café at work where staff can engage in personal browsing in a secure network segment, and a white list of applications and allowable website traffic which was developed over time.

Here are the specific steps the firm took:

In 2014

  • Governance: Established a cross-functional group of business leaders that met regularly, focused on security education and then began to deploy tools
  • Early Roll out: Discovered that in 2014, of the 400 plus security incidents at the firm, almost 90% were triggered by employees’ personal use of the Internet.
  • In 2014, the CISO took these straightforward measures:
    • Standardized on a Chrome browser, and eliminated use of legacy IE required by enterprise applications.
    • Deployed application whitelisting to eliminate application sprawl and coached employees to approve business required applications
    • Implemented a security awareness program that was ‘fun’ to partake in.
  • Program Results – in 2015 the firm had more than a 60% reduction in security incidents at a time when attempted attacks were increasing.

In 2015

  • Internet Café for personal browsing: the firm set up a Internet café on a separate network segment where employees could engage in personal browsing from their own personal devices. Personal browsing from other corporate network segments on corporate devices was ‘softly’ discouraged and disallowed
  • Internet Whitelisting: all corporate traffic was proxied through a whitelist. A process was set up to expand the whitelist based on information security review of business justification – the whitelist grew quickly from about a thousand sites to about 12,000 but then began leveling off 6 months after it was introduced.
  • Program Results: In 2016, security incidents at the firm dropped about 40%

Overall Results

By implementing these straightforward people-centric security measures, the firm dropped their security incidents from over 400 in 2014 to just under 100 in 2016, representing about an 80% reduction in events.

Conclusion

We spend so much time chasing the latest technology and promising new shiny solutions, while neglecting our most vulnerable attack vector – people.

This energy firm proved that by implementing people-centric security and whitelisting, the attack surface is dramatically reduced.  And now, the firm can concentrate on the smaller population of leftover security events – by applying more people-centric measures and a good mix of layered security technologies.   I think we should all follow this sound approach.

Category: 

Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio


Thoughts on Simple People Centric Security Actually Works at Large Midwest Energy firm


  1. This is right on Avivah! It is always helpful to engage people in this and all processes. Technology alone won’t cut it.

  2. Ken Mages says:

    W3C is doing some interesting stuff.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.