As an IT department, we are tasked with and spend an inordinate amount of time securing our physical assets and protecting our boundaries from external threats. I know it has been said a thousand times over that in actuality, one of our biggest threat vectors are ourselves, as humans.
So, how can we improve the security of our human habits?
In this post, I will share with you the Top 10 behaviors we have asked our employees to target to improve our security posture. We chose these based on the simplicity of implementation and the risk reduction these practices can invoke:
10. Put a password on your home network
I can’t count the number of neighborhoods I drive through and see all the open network connections. Lock it down (it will save your bandwidth, too!)
9. Wear and Display your badge all day, every day in the office
Someone gets off the elevator with me and I don’t see a badge or know them, I should be asking. There should be a single point of entry into the office and someone without a badge needs to go there.
8. Use the “Guest” network for any non-managed devices
This protects your corporate network in so many ways. Since your IT department isn’t managing the devices, it is critical that they remain in a territory that is segregated from your important data, since they may be vulnerable and there is no visibility into their status.
7. When you leave your computer, lock your computer
Working on financials? Coding? Staff lists you are reviewing? Don’t leave it visible for others to see when you leave your desk. Jump drives take a moment to insert, gather data, and be off, undetected.
6. Never write your passwords down or share them
Passwords should be difficult to guess, but don’t make it so hard that you have to write it down. Using a password made up of a sentence works wonderfully. There are lots of great articles showing you how. An example:
Sentence: I really like to eat oatmeal every day of the week except on Sundays!
By taking the first letter of each word and adding a bit of special character variety, I have created a 15 character password that would take a PC 157 billion years to brute force crack.
5. Password protect your mobile devices
Most people that “pick up” our mobile devices are just looking to sell the equipment, but consider if it isn’t password protected. Do you receive work email on your phone? What is the impact if that is “spilled”. Devices will accept PINs or passwords under their settings.
4. Use and store company data only on secure locations
It was announced recently that Dropbox users leak tax returns, mortgage applications and more. When a user creates a shareable link on Dropbox or Box, anyone with that link can access the data. You don’t even have to be registered. Something to ponder.
3. Incident Response Team – know when and how to initiate
As more companies outline a security plan, one of the first things they should consider creating is an incident response team. This team would respond to potential breaches or leaks and determine how to respond. As important as the team is ensuring everyone in your company knows how to initiate that team.
2. If you suspect your computer is infected, know what to do (e.g., call the Help Desk)
Do you know the telltale signs of when your computer may be infected? Slower performance? Fake antivirus messages or new tool bars on your internet browser? Have someone in your IT department take a look and clean it.
1. Think before you click a link
When in doubt, don’t click the link. Make sure to hover over links and see where they are actually bound. And warning messages are created to induce fear so you will take action. Remember that most vendors will not ask you for information over email; they will ask you to login to your account to change it there.
While they seem obvious, it makes sense to remind your employees of their responsibility for security. There are several ways you can do it to make it more fun:
- Do a top 10 video (a la David Letterman) to add some humor to the reminders;
- Have a contest (e.g., if you move all your passwords to the approved solution in the month of May, be entered into a drawing to win a $50 gift card); and
- Send out more specific information on each item (e.g., a 2 min self-video of how to create a pass phrase).
Arming your employees with fun, interactive ways to participate in building security posture pays off in spades. Add this to the hard work you are doing to protect your IT assets and you will find yourself making good progress in your security campaign.
- Confessions of a LinkedIn Imposter: We Are Probably Connected
- Physical Security: Active Shooter Response
- The Broken Link Between Physical and Cyber Security
- Measuring Risk – Physical vs. Online
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock