Security is an essential business responsibility. For the typical organization, at least half of the violations of the security policy are from internal personnel. While most of those violations are mistakes or errors caused by ignorance, some are performed intentionally and maliciously, against the company, other employees — or even customers. For a top executive, reducing these violations is crucial to maintaining a growing business. For an IT manager and/or security manager, reducing these violations is important to prevent downtime and improve efficiency. Fortunately, there are many steps that can be taken to help reduce end-user security violations. Most of these solutions are a combination of technology and training. And they are designed to address specific situations. These ideas might not address every issue occurring in your organization, but you are likely dealing with a majority of these concerns.
One common problem occurs when users select poor passwords for their network logon. This might allow co-workers to figure out their password and it makes it easier for attackers to discover it as well. Workers should be trained about the importance of authentication security and the basics of strong password design and selection. It might be helpful to implement an internal website that discusses secure password concepts and provides a testing tool for workers to submit sample passwords to see their relative strength. Furthermore, implement password complexity requirements, such as a minimum of 10 characters and require at least three different character types (uppercase, lowercase, numbers and symbols).
Leaving documents or emails open and viewable on the display allows for others who pass by to read confidential or private information. Workers should attempt to orient their computer display so it is minimally visible from the most common walkway near their workspace. This might even require the use of a display filter, which reduces the viewing angle of a display so only the person directly perpendicular to the screen can see what is shown on it. If a worker needs to walk away from their desk, they should always trigger the password-protected screen lock. This will hide any sensitive content from open documents while maintaining their digital workspace layout.
Workers are often the source of malware entering the company network. This could be due to opening email attachments, clicking on links in email messages, downloading files from the Internet or using portable drives. Workers should be trained on the risks of moving data and how to reduce their risk of infection. The company should implement robust anti-malware and anti-spyware scanning tools. Since only a single scanner can typically be installed on one system, using a few different vendor products across various machines is a reasonable approach. For example, product A on clients, product B on internal servers and product C on border servers. Consider stripping all attachments from email and require workers to use a secure file exchange service.
Limited or Standard Privileges
Most organizations assign limited or standard user privileges to a majority of their employees. A limited to standard user account is typically not able to install new software or make system level configuration changes. However, this might not prevent the installation of add-ons to browsers or the launching of standalone applications (i.e., software that does not need to be installed in order to execute). A whitelisting solution is a means to lock down a computer system even further. This type of security is a deny-by-default foundation where nothing is allowed to execute, except for those specific applications on the whitelist. A whitelisted computer will only be able to execute approved software, and workers will not be able to run portable applications nor malware. Additionally, this will also eliminate the ability of a worker to experiment with new tools and utilities on/against the company systems.
Bring Your Own Device (BYOD)
Portable devices are quite popular. Whether a smart phone or a tablet, many workers want to bring their own devices with them into work. However, these devices present numerous security concerns to an organization. There are too many devices with widely varied software and hardware elements, not to mention vastly variable security features. The most secure option for the organization that will likely still keep workers modestly satisfied is to provide commercial WiFi Internet access independent of the company’s private LAN. In fact, do not allow any personal device to connect to the company network nor to any company equipment, not even “just to charge.” A security training seminar should explain to workers that the USB cable they often use to charge their devices off a computer’s port is often both a charging cable and a data cable. Thus, a data transfer path is established with the portable device even when the connection was made “just to charge.” This link could allow malware to transfer from the device to the computer, or for sensitive data to be transferred to the portable device. Companies should consider providing dedicated USB charging ports or adapters that are independent of the computer systems. Additionally, companies should consider setting up an Internet access portal to their company email server. This would enable workers to access “work” email while using their portable devices whether sitting in the office or while away from the office. It might even encourage some workers to handle minor issues or work tasks on their own time.
Personal Home Computer
Sometimes sensitive information is released to the Internet because it was transferred to a worker’s personal device during a work task, and then accidentally (or on purpose) shared from that device at a later time. This is an all too common issue when workers telecommute using their personal home computers. Workers need to be trained on how the mixing of personal computing activities with work tasks is likely to lead to disclosures, either of company information to the public or personal information back to the company. There are several methods to reduce or eliminate this problem. One is to issue a company computer to each telecommuter, which is then used exclusively for work purposes. It should never be used for personal activities or shared with family or friends. Another option is to use virtual operating systems. A telecommuter would connect into the office LAN, and then would be directed to a virtual machine running on a company server. From that virtual machine they could perform all the same tasks as if they were sitting in their workspace. Such a configuration would simply need a prohibition against file transfers to the remote computer to prevent or at least significantly reduce data leaks.
One final example of a common worker error is discounting the physical security elements of the company’s security infrastructure. Locked doors, sealed windows, security cameras, access badges and access logs are all essential security components. Workers need to be trained to understand and respect the totality of the security infrastructure, not just the technical elements. Workers need to understand that without physical security and protecting themselves against social engineering attacks, the logical and technical security controls of the IT systems are nearly worthless. It is the responsibility of the worker to double check on requests that encourage them to violate rules or procedures. Workers should be sure to close and re-lock any door that they unlocked. Workers should also report anything suspicious to their security staff. Companies should consider implementing auto-close and lock door systems, using man-traps or turnstiles and logging each worker’s entry digitally with a smart card.
These are obviously not all of the security issues caused by worker errors, mistakes or oversights. But these are some common concerns that most organizations need to address. Top-level executives and IT security managers need to have open and frank discussions about end-user security issues and find solutions that fit their culture, existing infrastructure and budget.