Technologies that work collaboratively to protect information resources are invaluable. Beyond the racks of firewall, antivirus, intrusion detection and encryption equipment, however, lays perhaps the greatest opportunity in securing corporate information: affecting positive human behavior.

An approach that Cisco takes to help create good security citizens is to share anecdotes about user activity, whether unintentional or malicious, that has put the company at risk and the consequences of that precarious activity. “The tendency in information security is to shroud events in secrecy for fear that revealing them will make us look bad,” says Cisco Chief Security Officer John N. Stewart. No information security team wants to boast about a breach, “but maintaining the illusion that nothing is happening doesn’t help educate users about the possible ramifications of their behavior,” says Stewart.

A common example of potentially dangerous behavior is automatically selecting “yes” to a security agent protection window that appears on a user’s computer screen. “When your system notifies you that your operating system is doing something unusual, don’t just assume that it is OK,” says Stewart. For example, users who “double-click” an e-mail attachment and get a message that the attachment is “trying to run an operation on your computer,” should pause to consider whether it is, in fact, attempting to execute a command that they have requested — and then take the appropriate course of action.

Quick Thinking

Another common faux pas can occur when typing a couple of letters into an e-mail address field and the mail tool’s address book function — programmed to “help you” — automatically completes it with the wrong address, and without the user noticing. This incident happened at Cisco, resulting in a spreadsheet with sensitive personnel information mistakenly being sent to a group list throughout Europe, rather than to the intended individual. In this case, the sender quickly followed up with an apology note, asking recipients to please refrain from opening the attachment. “That was a well-intended move,” says Stewart, but such requests typically “pose a tantalizing invitation to many people to open the attachment.”

The sender also had the presence of mind to quickly open a case with Cisco’s technical support. An engineer realized that the Cisco Security Agent multifunction security software that runs on all Cisco employees’ PCs could block users from opening the problematic message. The technical support engineer deleted the e-mail from as many user in-boxes as possible, and then blocked the ability to open the message.

In the meantime, Cisco technical support could see who ignored the request and opened the attachment. By letting the general Cisco user base know about the incident and its fallout, Stewart hopes to keep users educated about the most appropriate behavior to help protect the company, given that the same mistake might happen to them one day. “Quite simply, when someone asks you not to open an attachment, don’t,” says Stewart.

Engaging Management’s Help

To increase awareness of such incidents, Stewart’s team conducts weekly briefings with some 30 top Cisco executives to keep them informed about security-related issues that have happened throughout the company. The goal is to “imprint a memory that inspires users to change behavior,” Stewart says.

It often takes buy-in from executive management to change behavior patterns that are well-intentioned, but carry potentially dangerous side effects. Consider, for example, the Cisco developer who was working long hours on a project using a desktop computer at the office and at home. He happened to live in an area where his Internet access link frequently dropped his virtual private network (VPN) connection to the Cisco data center, impeding his ability to work productively from his house. So that he could have dinner with his family and continue working when the kids went to bed, he e-mailed code that he was writing to his personal Hotmail address and, from there, downloaded it to his home computer so that he could work on it locally without WAN interruptions.

The employee’s intentions were good: he was trying to meet management’s tight project schedule while also living up to his family commitments. But in doing so, he broke a corporate policy and put the project — and Cisco intellectual property — at risk.

By making the situation known and working with executive management, they were able to add time to the project’s development schedule, says Stewart. The outcome was to relieve the employee from having to choose between work and family, or strike a risky compromise.

Shattering Illusions, Rewarding the Positive

At the end of each quarter, Stewart presents executive management with an aggregate of all security events that were foiled before they could have a negative impact to the company. “The point is to shatter the illusion that nothing is happening. If you get too good at security, people might think there’s little to worry about and, in effect, that your budget perhaps can be better used elsewhere,” says Stewart. “By telling our executive team about the real attacks and incidents that have been deflected regularly, we demonstrate what could go wrong and help to keep security top of mind.”

Stewart also believes in incentives for people who do something good for the security of the company, so his awareness team has created the Cisco Security Champions program to reward positive behavior. An employee who is nominated and wins the award is recognized at an all-hands meeting where his or her manager is present, receives a cash award, and gets his or her name branded on a perpetual plaque to celebrate the employees’ achievement. Today, there are 20 security champions around the company who are conscientiously doing their part in protecting Cisco’s intellectual property and assets.

The empowerment of working in a dynamic, resource-rich environment like Cisco carries with it accountability on the part of employees to do their best to protect the company. “With freedom, comes responsibility,” Stewart concludes, “and at Cisco, as with any organization, we must all do our part to protect what is valuable to us.”

For More Information

Podcast with John Stewart
Cisco IT Security Solutions
Cisco on Cisco