I just returned from a Gartner peer-connect event where some 65 CISOs shared experiences, concerns and visions for a more secure future.
There were many substantive discussions but one that stood out was a case study presented by a CISO from a large Midwest energy firm who implemented some simple people-centric and whitelisting security steps that reduced his incidents by almost 80%.
People are the main attack vector, and by tightening up their vulnerability to spear-phishing, exploits, and other attacks, the company would be much more secure. Major program steps included; establishing a ‘fun’ teambuilding security awareness program, standardizing on a Chrome browser, creating an Internet café at work where staff can engage in personal browsing in a secure network segment, and a white list of applications and allowable website traffic which was developed over time.
Here are the specific steps the firm took:
- Governance: Established a cross-functional group of business leaders that met regularly, focused on security education and then began to deploy tools
- Early Roll out: Discovered that in 2014, of the 400 plus security incidents at the firm, almost 90% were triggered by employees’ personal use of the Internet.
- In 2014, the CISO took these straightforward measures:
- Standardized on a Chrome browser, and eliminated use of legacy IE required by enterprise applications.
- Deployed application whitelisting to eliminate application sprawl and coached employees to approve business required applications
- Implemented a security awareness program that was ‘fun’ to partake in.
- Program Results – in 2015 the firm had more than a 60% reduction in security incidents at a time when attempted attacks were increasing.
- Internet Café for personal browsing: the firm set up a Internet café on a separate network segment where employees could engage in personal browsing from their own personal devices. Personal browsing from other corporate network segments on corporate devices was ‘softly’ discouraged and disallowed
- Internet Whitelisting: all corporate traffic was proxied through a whitelist. A process was set up to expand the whitelist based on information security review of business justification – the whitelist grew quickly from about a thousand sites to about 12,000 but then began leveling off 6 months after it was introduced.
- Program Results: In 2016, security incidents at the firm dropped about 40%
By implementing these straightforward people-centric security measures, the firm dropped their security incidents from over 400 in 2014 to just under 100 in 2016, representing about an 80% reduction in events.
We spend so much time chasing the latest technology and promising new shiny solutions, while neglecting our most vulnerable attack vector – people.
This energy firm proved that by implementing people-centric security and whitelisting, the attack surface is dramatically reduced. And now, the firm can concentrate on the smaller population of leftover security events – by applying more people-centric measures and a good mix of layered security technologies. I think we should all follow this sound approach.