Not a week goes by at the moment without an article appearing on sloppy user behaviour facilitating security breaches. Considering the level of access many users have to company systems (especially within small companies where access is less likely to be restricted) and the range of devices people use to access company systems and how, it’s unsurprising that users are one of the weakest points of any security set-up.
There are some simple measures you can put in place to protect your company data and security without making anyone’s life more difficult or impeding their work flow.
- Ensure everyone has an individual log-on to all devices
- Assess who needs access to which areas of your system, and apply restrictions
- Put in place an audit trail that logs exactly who has accessed which information and what changes they made
- Make information read-only or archived, if it’s unchanging or no longer needed on a frequent basis
If employees use their own devices to access company systems such as email, contacts or documents, ensure appropriate encryption is in place on the data, that all devices are passphrase protected and in the case of mobile devices, that remote wiping software is in place so that if a device is stolen its data can be removed. This might sound complicated and onerous, but consider the alternative. Imagine all the apologizing to clients, the reputation repair job that would be required, and potentially the legal actions that could arise from not taking adequate steps to protect client data.
User behaviour is important and staff need to understand the responsibilities upon them, but if ‘fit and forget’ measures are in place, it can remove many risks without your staff having to do much, if anything. The reality is that work phones are lost and stolen and laptops left behind on the train. The risk rises hugely once staff’s personal devices are included – just think of the places your phone goes with you – your staff devices will be no different. If the worst you have to face is a bill for a replacement, you’re doing well.
On a related note, if the services staff are accessing through these devices are all online, then those services remain available to them through another device and don’t disappear with the stolen item.
These are a tedious fact of modern life. They’re a pain but they’re worth doing well.
First rule of passwords:
Don’t use the same password for more than one thing
The logic of this should be obvious: if your password is compromised, whether directly from a device or by a hacking attack on a third-party provider, you want just one service at risk. If your Facebook password is also your PayPal, bank and email password, you can imagine the carnage. Keep each password unique. Services such as LastPass and FirefoxSync help to manage the vast number of passwords we all need these days. They allow the use of numerous complex passphrases as there is no need to remember each one.
Good IT hygiene
There are a few habits it’s worth developing. The first one is not automatically opening attachment. Don’t click first and wonder afterwards whether it was a good idea.
Don’t open attachments, even from trusted sources, unless they are expected. It’s not total protection but it will avoid someof the crafted social engineering techniques that are prevalent now.
Similarly: do not open URLs or display content from remote servers such as images (you should have an option in your email client not to display images automatically). Often images are crafted to identify a pattern of behaviour so the automated systems will select these users for the next level of intrusion. Simply visiting a URL can begin the process of infecting a PC by compromising the web browser with script that can, for example, provide complete remote access to your PC or record keystrokes, send your browsing history or possibly granting access to your saved passwords.
Turn off any non-essential add-ons and script services in web browsers. This can
help prevent exposure. Services provided by Mozilla, Google and MS can help identify
previously seen problem sites. Your desktop services company can advise on and perform
these changes for you. Where possible we recommend removing unnecessary services
and software rather than adding more security software to control them.
Log out of services that you aren’t actively using at that moment. This includes all social media, email, web editing, news sites – whatever it is you need at work (all this applies to private use, too). Minimize your exposure wherever you can.