Intel Corp. employees received a suspicious e-mail message one day from an unknown third-party company that claimed to be conducting a survey on behalf of the human resources department. Phishing scan red flags when up and administrators quickly advised employees to not open the e-mail – it could be an attack.
The alert raised was a false alarm. The survey was legitimately collecting internal information on the CPU-manufacturer’s behalf, but the human resources department hadn’t given word to staff.
It was more than just a red herring for Malcolm Harkins, general manager of information risk and security at Intel. It demonstrated how important people are in keeping a company’s information secure.
“Our employees created a behavioural immune system response as a protection against that e-mail,” he says. “You can’t block every piece of spam, but if your people are more attuned to what to look out for, they can be part of the perimeter.”
That was the message Harkins wanted to get across to his audience in an Intel Premier IT Professional Webcast yesterday – “People are the new perimeter.” Intel keeps its staff educated about appropriate behaviour on social networking sites, and has enforceable policies that make clear where the line is drawn with the sharing of information. The goal is to protect the company and its staff from cyber-criminals.
Intel educates its staff on the dangers of social media.
It’s a topic of increasing concern amongst companies, says Tim Hickernell, associate lead research analyst with London, Ont.-based Info-Tech Research Group. Companies must rely on training staff to limit their exposure on the Web because there are no good enterprise-level controls available for the IT department to control the flow of information over social network sites.
“There are no controls or policies that IT can set in place, they just don’t exist,” he says. “You’ve got to actually train people and get their buy-in to a company policy.”
Intel’s enterprise protection strategy now places focus on the behaviour of its staff. The social network sites they’re visiting, the mobile devices they’re carrying, and what data a person is accessing in the company is all taken into consideration.
An annual training program at Intel sees employees educated on policies that are honed to their role. From the engineers down to the sales staff, all end-users are given a half-hour class on awareness of how to keep information confidential.
“We’ve seen a huge payback from this,” Harkins says. “People can be taught to recognize and manage what could be risky behaviour and they can help respond to attacks.”
But this sort of training isn’t the norm. Only one-quarter of the Webcast participants said their company trained employees in this way.
Avoiding a blanket policy for the whole organization and instead of focusing on the needs of different roles is important, Hickernell agrees. The analyst recommends that organizations create a policy that employees have separate social networking accounts for work than they do for personal use.
“The employees that need access to the public service should have IDs made up for that specific purpose,” he says. “We even recommend that IT be involved in setting these up with the corporate e-mail for that account.”
Mixing personal and professional networks opens a company up to more risks, the analyst adds. It just takes one user to grant access to their entire network, and suddenly everyone’s private information is exposed.
But Hickernell advises against completely blocking access to social networks. Despite the risk involved, there are many benefits to using tools like Facebook or LinkedIn. Examples include the creation of groups to recruit from colleges, support of product marketing with referrals, and professional networking.
At Intel, the trend is towards widening the employee’s ability to use share information, especially on the company’s intranet. For example, the company recently loosened its policies on employee posting of self-recorded audio and video.
“What we didn’t do was open it up to ad-hoc meetings unless it was approved by the group’s legal counsel and all the people being recorded were given notice of choice,” Harkins says.
But when the company’s policies are intentionally violated, they are enforced, the general manager says.
“If someone leaks information, it can be punished up to and including termination,” he says. “If it was purely intentional, then the bare minimum is a letter of warning.”
Social media isn’t going to go away any time soon, Harkins adds. It is something that companies are going to have to think about sooner or later.
As for the possibility that public social networking sites like Facebook will add some corporate-level security controls – well, it’s just not very likely.
“They haven’t figured out how to monetize those sorts of controls,” Hickernell says.
It could be up to a third-party company to release such a product.