“If the business is not willing to change, then organizations will have trouble getting value out of these [vendor] products,” Proctor says. “And if you’re not willing to change, you’re just wasting your money.”

Making Use of What You Learn
At WebEx, there was a concerted effort to change and use the information and violation scenarios that the iController found to help better educate employees about the security risks by providing actual examples of inappropriate actions. Like most companies that turn on a network monitoring product, WebEx found that “majority of incidents are related to employees making a mistake,” says Barr.

For example, some WebEx employees who worked from home sometimes sent unencrypted documents, which had proprietary information in them, to their home e-mail addresses. In addition, other employees would occasionally send their user name and passwords over the network. These violations were against company appropriate-use policies, and the new system quickly alerted Barr to the problems so that he could take action.

Now, not only does Barr’s group follow up on each incident but his team counsels those involved to show them what they did wrong and how it could have affected the company’s security through what he calls a minisecurity awareness program. “We remind them of our policies, what their obligations are and what tools we have in place to monitor [their actions],” he says. “We also show them what [the policy] is that they violated or had the potential to violate.”

Barr has incorporated the real-life events (such as an employee who sent her user name and password information through her AOL account) into new-hire and ongoing training programs, which he thinks is critical. “It helps put some perspective on how the actual incidents did occur and how it relates to them in their day-to-day jobs,” he says. “They can see themselves in a potential violation situation, and they might relate to it more than just talking about policies.”

His team has worked with HR and legal to revise document management policies to better protect sensitive information. All this ensures that employees “learn from the mistakes of others,” Barr says. In addition, WebEx, like many companies, informs employees that the company has the ability to monitor networks, chat, Web-mail and e-mail functions to detect offending signatures —such as if the word “confidential” is located within an e-mail, which will then trigger an alert through the iController system.

Three years after the sales-force incident, Barr and his fellow executives feel much more comfortable about how they can better plan for and deal with network security. Barr cites decreases in the time it takes complete an investigation (such as the sales-force one) and the number of violations and potential violations during the past three years; he declines to give specifics about these changes, but he attributes them to employees’ better understanding of WebEx’s processes as well as an increased awareness of security risks.