I was asked: “Mike, based on your 40+ years of experience in
technologies, as a business manager, what are the common technology security
issues that I should be concerned about.” Well, I am not going to dive into the
architecture of data centers, computing platform data leakage, network
‘sniffing’, DOS or DDOS attacks and perimeter defense strategies, but as a
business manager I suggested the following security risks that are all too commonly
found (and exploited):
1. No policy on password resets.
If you allow passwords to remain unchanged for more than 90
days you are setting yourself up for a breach. Sure it is pain for your company,
internally and may seem even more of pain for your customers who need passwords
to access the services you provide. But those very customers are the easiest
source of a breach. Would you rather explain ‘security’ or the fact that every
lease and background check report has been downloaded? Having robust password
structures and prohibiting re use are good starting points. Do the math. A
password of less than 12 characters begs for cracking. Using ‘remember me’
means just that - except the computer really doesn’t know who you are so, in
one quick unattended minute the thief is in. Look around the leasing office and
see how many passwords you can find written down – start with the post it notes
they are a dead giveaway.
2. Unsanctioned file shares.
If you allow staff to use ‘rogue’ or ‘freemium’ file shares
you have lost control. Letting staff store company or resident related documents
on a file storage services of their choosing is just crazy. Once a document is
sent off site under THEIR control you set your company up for problems and
risks. No ability to audit access, no control over access, it’s their password
not yours, no control of re-distribution of documents, when they leave they
take the documents with them.
3. Bring Your Own Device (BYOD) permitted.
Nightmare city. The wild, wild west. Managing the access and
use of personal devices may seem enlightened but the risks are truly great. What
gets put on that personal device? What access codes are stored on it? Who else
in the family can play with it? Oops, where is it? Wow, look at all those
e-mails and e-mail addresses! If allowed it must be formally understood,
managed, monitored and controlled…not just permitted. An interesting sidelight
is the issue of engaging hourly staff ‘after hours’ because their device
‘buzzes and pings’ with your business matters. Be ready to pay for that
intrusion. The labor laws are on the side of the employee.
4. Unmanaged ‘wifi’ access.
It is too much of a nuisance to have a password protected
‘wifi’. We have lots of guests and it
makes it hard for them to get on line. Remember you don’t have to be in the
room to get a wifi signal. Every signal is a beacon for a drive-by hacker. Why
make it easy to ‘come on in’?
5. Unsecure printing and storage of paper
files.
Allowing multiple users to print to a shared printer when
they are not present to collect their print output. Unattended output is left
in print trays, in full view and can be easily picked up by the wrong user.
Personal identity theft is a significant theat. The cost of that breach is
severe. Look around the leasing office and just see how much personal resident information
is left unattended. Now, where is that application form? Are resident paper
files really locked down? Do the cleaning staff have unsupervised access to
paper file storage rooms?
6. Lost or stolen smartphones and laptops.
Need I say more about this drama and trauma? If you don’t
have a ‘red event’ team and policy to shut lost devices down or immediately
restrict access, stop reading and get one started. Maybe, just maybe it is all
backed up? For two reasons: (1) the employee can continue to work and (2) you can
audit what was lost or stolen.
7. Social Media APPS on corporate systems.
A treasure trove for ‘phishing’ and re-directs. “Tell me
more, oh tell me more”. “I just love being ‘connected’ and sharing. It is sooo
cool…social media publishing is so friendly and helpful”. …really?
8. Malware everywhere and viruses from hell.
“All I did was click on that message, it said I had to”. “Oh,
that web site - seemed like it was going to be helpful”. “Here, use this jump drive storage stick, I have others”. Unless
you ensure and enforce the maximum use of ‘firewalls’ and device resident
security software you have no chance at even a semblance of protection.
In the end, a rigorous security awareness program such as frequent
mandatory end user security training sessions and frequent bulletins and
newsletters that make security awareness part of your culture will go a long
way to reducing your risk.
One last piece of advice…make someone available to help end
users when they have a security question. Encourage them to call before they
do something. Everyone will benefit from the ‘ounce of prevention that
avoids a ton of grief’.
True, security is a living ‘eight-ball’ that we will
seemingly always be behind. Those are my ‘8 balls’. How did you do?
As I always offer, if I can help or you want some advice or
counsel just send me an e-mail. I’d be happy to share what experience has
taught. I am at the moment on the warpath about the use of unsanctioned file
shares. There are cost effective solutions that can mitigate that risk and make
your end users happy.
No comments:
Post a Comment