"It's not about embarrassing or surveilling anyone. It's really about giving material that means something at the moment when they click on the [phony] link," Mankovich says.
Depending on the exact nature of the attack, tips might include questions like: Did the email come from a trusted source? Was there something misspelled or unusual about the link? Did you remember to hover the mouse over the link and check the bottom of the screen to see if the actual target URL matched the one in the body of the message?
So far, Philips has conducted three phishing experiments involving 250 employees each; eventually, Mankovich hopes to test all of the company's 90,000 email-connected employees worldwide. Future tests will be stealthier and more intricate, he says.
"At the end of each pilot, we talk to a few of the users to see what they felt about the experience -- both those who fell for the phishing and those who did not," Mankovich says. "We [typically] have a very small percentage of people who did the bad behavior, and those people do get the message."
Saying 'Yes, but...'
Help the Business Do Its Job -- Securely
Insurance provider Endurance Specialty Holdings tries to establish policies that don't limit users from performing their jobs, says CIO Tom Terry. "There's generally a good reason why they're asking for a particular software, tool or device. We attempt to understand the problem they're trying to solve and give them tools to address their needs in a secure manner."
For instance, many business units needed USB devices to transfer data, but the IT organization knew that USB devices can be a major contributor to data loss if they're not managed properly. So the Endurance IT team said "yes, but..." by distributing the devices but also instituting -- and explaining -- a policy mandating that the devices had to be password-protected and encrypted.
"When the business sees you working with them in a collaborative fashion, then you can move the dial forward" in terms of a shared corporate response to security, says Terry.
3. Protect to Enable
In light of the increasingly virulent cyberthreats out in the wild, IT leaders struggle to protect the organization while giving business units the freedom to choose their own apps, launch their own online initiatives and adopt new devices. But "the more drag you put on information flow, the slower the business velocity, which also creates strategic risk issues," Harkins says.