10 IT Security Lapses and What You Can Do to Prevent Them
Park Place: Hardware Maintenance
In today’s workplace, IT security personnel may feel they are on the defense against James Bond. Equipment once reserved for international espionage—tiny cameras in eyeglasses!—is now cheap and easy to come by.
Additionally, the globalization of business and the ever increasing flow of data across both corporate networks and the internet has resulted in an unprecedented number of attacks on IT infrastructure. Seemingly every day, a new threat is revealed, usually when another organization makes the news with a disastrous security fail.
As IT becomes more innovative and agile, adopted countermeasures have evolved alongside the threats and help IT security do its job. But they only work if IT personnel remember the basics and learn from others’ mistakes.
While we generally focus on 3rd party hardware support, software support, and network monitoring, we’ve compiled 10 examples of common IT security lapses and what you can do to prevent them.
#1 We’ll Be Together Forever
In the course of day-to-day operations, it can be difficult to keep in mind that every employee, vendor, and supplier could someday be an ex-employee, ex-vendor, or ex-supplier. And their reactions to the dissolution of a professional relationship can be just as toxic and unpredictable as a romantic ex plastering unflattering information on Facebook.
Too often, disaffected employees and spurned business partners are left to do immense damage simply because the IT department lacks an adequate access-revocation policy. IS Decisions surveyed 2,000 desk-based workers in the UK and US only to find that about one-third of ex-employees are left with access to systems and data after leaving a company.
When an employee is leaving or when a contract is expiring, IT should be informed right away. Precautions must then be taken quickly to ensure the individual cannot wreak havoc on the corporate network in the last moments on site—or later, off site.
In most cases, employee and business relationships end and all involved part ways professionally. But the IT security team must defend against the exception and make immediate deactivation of rights and disabling of credentials the rule.
#2 The Post-It Note Grab ‘N Go
Large IT departments churn out new computers like assembly lines. The seemingly endless arrival of new devices on the corporate network means IDs and passwords are constantly being created and changed.
The all-too-easy answer is to scribble the login credentials on a slip of paper and attach it to the workstation or device in question or leave it on the employee’s desk. In fact, in a series of recent security tests performed by Trustwave, written passwords were found on or around 15% of user work stations.
Simply writing down IDs and passwords is one of the leading causes for unauthorized network access. Once committed to paper, credentials are readily visible to any passerby and easy to grab with an unnoticed swipe of the hand. This can lead to a breach of private data.
Don’t advertise access credentials. Make sure the IT department has a procedure to safely and securely get IDs and passwords into the end user’s hands—with no Post-It notes involved.
#3 Data at Rest May Not Remain at Rest
Encrypting data is simple. Some IT professionals resist it, however, because encryption does affect ease of use.
A well thought-out data encryption plan will balance security and usability. Creating a strong, clear policy is a must for any IT department.
Implementation doesn’t end with network administrators. Employees must be educated on the policy, so they understand when and how data should be encrypted and what types of data are most vulnerable to exploitation.
In today’s environment, there is no excuse to have data at rest sitting unencrypted. Encryption policies must extend not only to network servers but also to devices used out of the office, which are all the more likely to walk away–and cost your company a lot of money.
#4 Done Wrong by the App Store
End users love their apps. Popular choices like Evernote, Dropbox, and Google Docs can all provide third parties with access to corporate data. Remote access applications, such as LogMeIn, can also supply a back door through the firewall and open an internal network to the outside world—often without anyone in IT knowing.
These factors make the use of non-approved software a real security problem. A study by Cisco security experts found that more than one-third of corporate data loss incidents were caused by unauthorized programs installed by employees.
Companies large and small can be affected. Just look at Hillary Clinton and the criticism she has faced for using an unauthorized email provider during her State Department tenure. Thanks to her oversight, Top Secret files may still linger on Google’s servers, and the Chinese government probably knows it.
The best way to combat app- and software-related mayhem is to provide employees with all the tools they need to perform their jobs.
Even adequately armed for business, employees may still vow to cling to their iStore finds until you pry them from their cold, dead hands. To instill a touch of reason, make sure every individual knows which apps are verboten and, just as importantly, why. Helping employees understand the risk of data exposure will help them see IT isn’t just a Scrooge taking their cool toys away.
As difficult as it is to keep up with the releases, maintain a tight list of approved applications on hand. Update and disseminate it frequently.
#5 Blind Trust Leading to a Blinding Blame-Storm
Obviously companies need to be able to trust employees, but blind trust is never a good idea when it comes to IT security. A single rogue with access he or she may not need can lead to a massive data breach.
Even the NSA has fallen prey. By granting Edward Snowden unwarranted security access to classified material, the organization opened hundreds of thousands of pages of information to the media. The scapegoat hunting soon followed.
There will always be a need for employees to access sensitive data. To minimize risk, IT should keep things strictly compartmentalized. Today’s technology allows for precise granulation of access rights, but admins sometimes don’t bother to use these tools to their full potential.
IT security policy must be designed to ensure that admins leverage every capability at their disposal to provide employees with tightly defined data access that is limited to their precise needs and job responsibilities. Regularly scheduled audits should be used to align access rights with evolving employee functions and to shut off access to data an individual no longer has a valid reason to view.
#6 The Classic Hack is the Human One
Probably the oldest threat to IT security is plain social engineering. It worked for Kevin Mitnick and it still works today.
Phishing emails are effective. Even basic politeness undermines companies’ interests when employees are asked to share internal information and can’t find a nice way to say “no.”
Human interactions are an unavoidable weak link in the IT security fence. The only solution is consistent training on potential hazards and sensible protections.
Every employee should receive this education as part of the onboarding process and then undergo regular refreshers, from in-person briefings to reminder emails. Customer-facing employees require special attention.
#7 Wham! Spam! And Thank You Ma’am
Employees need to be able to send emails to colleagues, as well as to identify and contact a person in a far-flung office with the information or skills they need to get a job done.
The usual solution is to create a list of employee names, titles, and contact information, including email addresses. This list often floats freely around all corporate offices and may be distributed to companies the organization does business with.
Most people don’t treat this information as privileged, so it easily falls into the hands of third parties with nefarious intentions. Best case scenario, the network and the employees suffer annoying, bandwidth-eating email spam. Worst case, hackers enjoy an avenue to access internal business information and private communications–and cost your business $11.6 million, the average cost per cybercrime incident. They will never send a thank you note.
IT security should consider the corporate directory valuable and protect against security issues by determining how and where such lists should be stored and maintained.
#8 Freedom isn’t Free. There is a Hefty Fee.
Open WiFi access points are everywhere. McDonald’s, Walmart, Home Depot, and the corner coffee shop all offer in-store WiFi access. It may be free, but it comes at a price.
Unsecured WiFi hotspots give hackers easy access to corporate devices on the network. Most people do not understand that using an unsecured access point exposes all traffic to other connected parties. Emails, web browser visits, and even the contents of the local drive may be accessible.
Employees should be encouraged to use paid, secure internet services and the company may benefit from making them universally reimbursable. The overhead and bandwidth charges of keeping mobile employees securely connected pale in comparison to the cost of repairing the damage from a single large data theft.
IT security should also brief employees on what networks they can and cannot use with company-provided devices or any piece of kit with company information on it. Ensuring they have and understand how to use tools like VPN encryption will go a long way to keeping corporate data safe.
#9 Oops! I Did It Again…
Some people misplace their keys. Others can never find a matching pair of socks. And unfortunately, some employees are a mess when it comes to phones, laptops, and tablets.
A serious security problem can arise when an employee drops a smartphone on the subway during their commute home. Theft of corporate hardware—whether from pocket, purse, home, or a hotel room—is also a huge problem.
The Veterans Administration recently spent more than $100 million to rectify a data spill that ensued when a government-issued laptop was stolen from an employee’s house. Most organizations cannot survive such a cost.
Once a device has been set up to access internal IT assets, it becomes a potential attack vector if it falls into third party hands. IT security must set policies to control the flow of equipment outside the work environment.
Given the mobile nature of business, an emergency action plan for tracing or remotely wiping a device is absolutely essential. Employees must also be encouraged to ‘fess up to IT immediately if a device goes missing. IT should ensure this involves as little humiliation as possible to maximize compliance.
#10 License to Spill
Finally we get to the James Bond factor: Phones with more storage capacity than the space shuttle. Watches smarter than some people. Eyeglasses with full internet capabilities. And drones!
Well, maybe not drones, but who knows? The point is that incredibly powerful tools exist to boost productivity and drive value to a company’s bottom line.
These same devices represent the greatest challenge facing IT professionals charged with data and network protection. Almost without exception, this tech has built-in cameras and microphones, as well as the ability to join WiFi and Bluetooth networks–the same means by which the infamous Flame virus infected various computers all around the world. The fitness for surreptitious use is unprecedented.
IT needs to have a well reasoned and realistic plan for the use of personal tech in the corporate environment to ensure network and data integrity. The folks over at WeLiveSecurity have put together a white paper to help IT shops get a handle on employee-owned and company-owned devices in the workplace.
The Future is Now
No matter how well a CIO, CTO, or IT security expert studies past security failures, it can be like a general fighting the last war. The ultimate goal is to prepare for the next challenge, even without knowing what precisely it will be.
Constant vigilance is the order of the day. Make time regularly to review data security policies and to ask tough questions about who can access data, what they are capable of doing with it, what devices it can be put on, and how it might be compromised.
No organization can be 100% protected, but diligent effort, sometimes aided by expert assistance, can make you much less likely to be the next epic security fail on the news.