Usually when I talk to people about computer security, I discuss software updates, firewalls, and malware protection; however there is another important aspect of computer security to keep in mind: the humans that work for you. Unfortunately, most security vulnerabilities start with an employee, either overtly or inadvertently. In part 2 of this article, I will discuss how to find and prevent inadvertent security breaches.
Inadvertent Security Breaches
Most security issues are caused by employees that do not understand that the things that they are doing on their computers can cause security breaches. First and foremost, it is important that your employees are properly trained on things that can cause security issues on the computer network. The following list is not all inclusive, but these are common ways that your employees can cause major issues on your computer networks.
1. Giving out information to those that don't need it
Unsuspectingly, your employees could give someone the key to your computer network. 20 years ago, while working at a small business, I received a call from someone claiming to be the toner supply company and they needed the make, model and serial number of our copier. Unknowingly, I gave it to the person on the other end of the phone. I told my supervisor what I had done and what company had called. He told me that they had no business relation to that company and they were trying to figure out if we had equipment that was worth stealing. I learned that day to trust no one on the phone, email or in person unless I knew them personally beforehand. This type of security breach is called social engineering and is used very often by hackers and thieves. One of the most notorious is Kevin Mitnick, now a reformed hacker. He was able to gain access into large corporate networks through their employees. Watch this video on how he did it.
2. Downloading Unauthorized Programs
It is very common for a technician to log into a PC and find numerous programs running on the client's PC. Things like web browser tool bars, coupon programs, weather programs, downloaders (Bittorrent, etc), PC cleanup programs and many other "useful" programs. The problem with these is that many are actually spyware, meaning they track the usage of the computer and report that back to a central system. They collect browsing habits, visited websites, and possibly confidential information such as credit card numbers. It is important to only install programs and apps that are business related on corporate computers.
3. Laptops, Thumb Drives and Other Portable Media
Confidential company information should never be taken out of the office unencrypted. An interesting Internet search is "government loses laptop". Stolen laptops, thumb drives and other portable data can carry confidential information about your company, your clients and your employees. An exposure of social security numbers, bank account information or other private data can be a huge liability for your organization. Any confidential data should be encrypted before being taken offsite.
Additionally, if the employee leaves the company, it is much easier today to take information such as customer or vendor lists along with them. Although difficult to prevent, make sure you have proper non-disclosure agreements in place to protect your company.
4. Shared Data Systems
Along the lines of portable data is new technology such as Dropbox, SkyDrive and Google Drive. Your information stored at these sites may not necessarily be secure. A recent data breach at Dropbox proves this case. Make sure that the company storing your information offsite, whether backups or shared data systems, uses high encryption technology and can be held liable for any data breaches.
5. Software Licensing
Although not running licensed software may not cause a security breach, it can still cost your company a large sum of money. The Business Software Alliance actively targets disgruntled employees, seeking information on companies that do not purchase licensed software. Make sure that your company abides by all software licenses and has enough licenses for all employees.
Through a little training, your company can be much better protected from inadvertent security breaches that can cost your real dollars. If you have any questions about these items or any other security concerns that you have, please feel free to contact Stimulus Technologies and a consultant will be happy to further discuss them with you.