How Employees Accidentally Compromise Their Company's Cyber Security by Asher DeMetz
Too often employees inadvertently compromise their company's cyber security policies.
As a white hat hacker whose job it is to look for loopholes in cyber security, I love to check out cars and bars. Not for the people, particularly, but for the number of laptops I can find left in the open: unattended, forgotten, and overlooked. In bars, laptops sit on chairs and countertops. In cars, they are often carelessly half-covered with a jacket or a bag – but, often enough, they are sitting there plainly for all to see.
Don’t think this is an uncommon occurrence. It is so common that, in a recent survey commissioned by Sungard Availability Services*, leaving laptops and mobile phones in vulnerable places was the #1 problem area noted by respondents. These are the folk who ought to know – they are the ones who get the frantic calls of “My laptop has been stolen! What do I do?!”
So what can a company do to stop a white hat hacker like me, or, more significantly, a black hat hacker? The answer: Lots.
The most important thing – bigger than any other precaution – is to encrypt the laptop hard drive. Encrypt the data, the operating system … everything. That way, if the laptop does get stolen, the criminals can’t get into your network unless they also crack the person’s password.
Which brings us to the second point: enforce strong passwords among employees.The survey reported that forced inclusion of special characters (43%) and length (31%) are the two components of password hygiene that are most frequently ranked highest in importance. With a strong password, chances are good that a hacker won’t be able to break into a stolen laptop. And even if they can, you have done a very important thing: you have bought yourself time.
That time gives you breathing space to take a third step. You can freeze the employee’s account. As soon as the panicked call comes in from the employee that their laptop or mobile phone has been stolen, freeze their account. With the account frozen, the hacker is welcome to crack the password since it won’t work anymore, regardless. Get a new laptop to the employee, and have them change their password … and make it a good one!
If you have chosen to place tracking software on your laptops, there is a chance you will get your equipment back. The tracking software will give you and law enforcement a heads-up on location if the thief does try to tap into your system. Also, have your employee report the laptop as stolen, and make sure they fill out the police reports.
Another key point is to forbid employees from storing data on their laptops. Data should always be stored on the server. Without sensitive information on the laptop itself, the risk to the company drops significantly, even if a laptop is stolen. Security software should be installed to scan systems for sensitive data which, if discovered, should be moved to their shared drive on the server and the event reported to IT. Repeat offenders should be re-educated in company policies and security awareness. Then, if a laptop is stolen, it will reduce the chance of sensitive data being present on laptops.
Finally, educate employees on cyber security - and do it often. Let them know that cyber security isn’t rocket science. It’s a matter of not leaving valuable equipment out for the world to see – and snatch. It’s about making strong passwords, even if they are harder to remember than their children’s names or birthdates. It’s about using the server as it was designed to be used, rather than “conveniently” putting files on their hard drive for “easy” access.
Many cyber security threats can only be countered with sophisticated technology. The #1 way that employees compromise cyber security can be effectively combatted with that age old weapon: common sense.
*The survey, commissioned by Sungard Availability Services, was conducted by SurveyMonkey Audience. The survey reached 276 IT professionals and was completed in December 2014.
This article was previously posted on Forbes and Sungard Availability Services.