Protecting Your Company's Network Security
By Douglas Grosfield | September 1, 2011
Simple Mistakes that Could Lead to a Security Breach and Devastating Consequences
For most businesses, being secure means investing in a good alarm system, using swipe cards to access the building and investing in the top-of-the-line network firewall.
The truth is, the greatest threat to a company's security can be found within it's employees. It's part of a growing phenomenon known as social engineering, which is the art of exploiting human error in order to gain access to buildings, servers or data.
According to Deloitte's annual security survey, human error is the greatest vulnerability to a company. A simple mistake can lead to a breach in network security which can be devastating for a company. Companies can face terrible consequences such as the loss of client data and financial information. Even worse, try explaining to the police why your disk space is being used to distribute pornography. Protecting your data and network security is just as important, if not more important than protecting your property.
So how do you do this? A quick stroll through a workplace may reveal some common mistakes that could pose serious security violations:
Passwords on a sticky note: It's amazing to see how many people write their passwords on a sticky note and leave it on their desk. You probably wouldn't post your PIN in plain sight so why post your password? A password can provide access not only to personal files and contacts but also to the company server. In larger offices, it is possible that someone can walk in and pretend to be a supervisor and gain access to passwords, confidential data and ultimately compromise a company's network security.
To avoid this, consider instituting a password policy in the workplace which would ensure staff do not leave passwords in the office space. It should also ensure that passwords are changed on a regular basis.
Obvious passwords: Humans can be so predictable. A list of some of the most common passwords lists "123456" and "password" as among the most popular. Avoid using obvious passwords such as names or addresses. When you do create your password, strengthen it by mixing letters, numbers and symbols. For example: a password such as apple can we written as @pp1e. Passwords should be hard enough to avoid being cracked but easy enough to remember.
Work Documents Lying Around: We often leave the office with papers on our desks or even forget to pick them up off the printer. Often, work documents may contain information about the UNC path which can provide server names, folder structure, etc. Essentially you are leaving the key in the door allowing anyone to enter at their own leisure. Be sure to file away work documents and shred sensitive printouts when they are no longer needed.
Applications Left Open on Computer: We sometimes rush off to meetings or run to the bathroom and don't bother to lock the computer screen. It takes seconds for someone to get in and access the same information that an employee can access. No matter how brief the break, always log off from the computer when you step away from the desk. It may help to set up the computer to log off after a set time of inactivity.
Handheld Devices Left Unattended: While many of us cannot part with our handheld devices, we often see them lying on the desk or even on the bathroom counter in communal washrooms. The problem with this is that many people store passwords and sensitive personal and professional information on their Blackberries or handheld devices. Ensure that you have a password on your phone that is security or encryption enabled because even if there is a password, the memory card from a device can be removed and inserted into a computer in order to access the information.
Wireless Network Open for Others to Use: Wireless internet is a wonderful thing. Companies can set it up so clients/customers visiting their business can access the internet. Many people have now learned to have a security key rather than leave it unsecured for anyone to use. A security key is not enough. It can be cracked depending on the level of encryption. Set the SSID (service set identifier) to not broadcast. Every wireless access has an SSID which is the public name of a wireless network. By setting it not to broadcast, it will be hidden and not come up as an option for others to click on as a wireless network.
There are many other ways a social engineer can access critical information. The more savvy they are, the better they are at probing staff indirectly to access information that may help them access critical information. Encourage staff to be aware of what information they are sharing and with whom to avoid a possible security breach.
If you are not sure if your workplace is at risk of a potential security breach, ask your IT team to perform a thorough risk analysis and identify any potential threats and vulnerabilities. Just as setting the alarm and locking the doors provides a sense of security, so too will this initial investment in time in ensuring your company's data and network is secure. It will not only protect your sensitive information, it could save your company's reputation in the long-term.