Cisco Systems is rolling out an internal security awareness programme to sensitise staff to the dangers they face...
from cyber criminals.
Cisco supplies most of the routers and switches that make the internet work, which places it at risk from hackers.
"We are the target," says Chris Burgess, a behavioural psychologist and senior security advisor at Cisco, who helped design the programme.
Cisco's internal programme is driven by the board, and its main thrust is people rather than technology. It has introduced videos to raise the security awareness of staff and has beefed up background checks on new employees to include criminal records.
"But the key check is whether they fit," he says. "If you hire well you reduce the threat because people arrive with less baggage."
Cisco makes mobility tools secure by default. Burgess's laptop, for example, is governed by Cisco's own Security Agent software, which limits what he can and can't do.
"We have a self-defending network that stops a lot of trouble from developing," he explains.
And some Cisco executives are not allowed to cross international borders with PDAs, mobiles or laptops. This is in case they are confiscated or copied for the sensitive information they might be expected to contain.
While technology can help, changing human behaviour is key, says Burgess. He blames the work-life imbalance for putting good security practice at risk.
"If you want people to be 'always on', when are they going to do their personal stuff?" he says.
"You have to accept that they are going to use cellphones, PDAs and laptops for both business and personal things, and some may be insecure.
"People mostly want to be good, so you need to make it easier for them to be good. Rather than tell them not to do stuff, tell them the right way to do things. Secure behaviour needs to be the default, not the bolt-on. "
Laying down the law isn't enough, he adds. "Security awareness is a use it or lose it mindset. Without 'booster shots', people soon get slack.
"You have to stay engaged. Make sure that you have a staff assistance programme in place, in case someone develops sudden personal problems and is tempted to steal and sell information to get through a bad patch. And that service should be anonymous or at least carry no stigma," he says.
People follow examples, especially their bosses', says Burgess. "If you can get the boss talking and behaving in a way that shows that security is everyone's responsibility, the message is that much more vibrant."