by Mike Semel
When we think Cyber-Security we logically think about technology tools to block North Korean or Chinese hackers from breaking into our networks. Those breaches make the news because they are so unique. What is much more common are users doing stupid things that neutralize your investment in security tools.
Every business has data that is regulated, sensitive, or confidential. It doesn’t matter why you want to protect it, although in regulated industries like health care you must follow specific rules. More than half of the HIPAA Security Rule protecting electronic data are Administrative safeguards – policies, procedures, and training— with the rest shared between Technical and Physical safeguards. Surprised?
An effective way to find out what your users are doing is to walk in their shoes, or, more accurately, sit in their seats. Take a walking tour of your office, go into cubicles and offices, and sit at the desks. Get management support, because executives are sometimes the worst culprits.
Look around. Are there passwords on post-it notes on the monitor? Under the mouse pad or keyboard? Written on the calendar next to the desk?
Tell an employee you need to check their password to see if it meets the company requirements. Will they give it up? Check out this funny Jimmy Kimmel video about passwords.
Jiggle their mouse. Can you get right into Windows without entering a password?
What kind of physical security do you have? Are servers behind locked doors? Are visitors required to show ID? Are they escorted after they are admitted to your office? I have walked through many ‘secure’ facilities, wearing a suit and looking at my cell phone, never being challenged by many people who saw me but were too afraid to ask who I was and why I was alone.
These all seem too simple to be problems, but every question ties back to a client engagement we have had where Chief Information Officers, IT Directors, Office Managers, doctors, and business owners have been shocked.
They have all said that THEIR users would never do things like THAT. Then we take the walk and show them security lapses are taking place throughout their office. Many complain about how much money they have spent on Security only to have their users come up with ways to make the investments worthless.
The simple solution is to just TAKE A WALK and address any security violations you see.
You don’t need complex policies unless you have to comply with regulations such as HIPAA or financial industry requirements. Simple policies that users are not allowed to have passwords visible, must have automatic lockout enabled, and must log off when they walk away from their computer should be communicated, audited, and enforced. Employees must challenge visitors. They must not plug in a thumb drive they found into your computer. Check users periodically to let them know you are serious.
Whenever you hire someone, make sure they get cyber-security training. At least twice each year, get your staff together and talk about cyber security topics they are likely to encounter, like someone asking for their password, receiving a phishing e-mail, finding a thumb drive, or seeing an unfamiliar visitor wandering through the office.
Keep everyone’s ‘cyber-radar’ at a high level. Talk about security in your staff meetings. Put up signs or use video screens to remind everyone to be vigilant.
And, every month or two, take the walk.